I am reading Microsoft documentation on how to sign a driver for windows 10 X64 and I am getting different information from the Microsoft website.
This document explains how to sign a driver by the developer without the need to send it to Microsoft.
This document explains how to submit the driver to Microsoft for signing.
and on other sites, the information is very different.
I need to sign my driver which I will send alongside my hardware to the user (so no need to be part of the windows update).
How can I sign it? which procedures should I follow and which certificate should I buy?
Related
Microsoft deprecated cross-signing certificates, however, it's not clear from the docs what's the new procedure.
From the docs above MS is the sole provider but their support claims you can still get one from other vendors (e.g. Digicert, Globalsign, etc...)
Does anybody know what's the process for signing production kernel drivers for Windows 11 & 10?
Any help would be appreciated,
Thanks!
I haven't done it myself, but if you want to make a kernel module for Windows 10 or 11 I think you're supposed to use "attestation signing". The page you linked to has a link named "attestation signing" that goes here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
Basically you make a driver, sign it with an EV certificate from a certificate authority, and then you submit to be checked and signed by Microsoft using a website called the "Hardware Developer Center Dashboard portal". I have also seen Microsoft use some other names for the website: "Hardware Dev Center Dashboard" and "Partner Center".
You don't need to use the portal if you are making a simple INF-only driver, or you are using a kernal module that is part of Windows, or you are using a kernel module that was already signed properly by another party.
Here is the original announcement from 2015 introducing the portal:
https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-signing-changes-in-windows-10/ba-p/364859
There's more info in this long article I wrote: https://www.davidegrayson.com/signing/
When I install a program what I create, windows warns me that the software manufacturer cannot be verified. I tried to look it up but couldn't find any relevant guidance. How can someone become a well-known software manufacturer in the Microsoft ecosystem?
Normally Windows warns users (UAC) when installing/executing a program which hasn't digitally signed.
Code signing is used on Windows and Mac OS X to authenticate software on first run, ensuring that the software has not been maliciously tampered with by a third-party distributor or download site.
More about code signing.
You have to purchase a certificate first.
It will cost you about 500 USD per year.
You can purchase certificate from leading companies like "Digicert", "COMODO" etc.
Check prices (#digicert)
After purchasing a certificate, you have to sign your program with a 'sign tool' - You can find out how to sign your program in this question.
After these steps Windows will recognise your program as authentic. And that means, it won't warn users (as an unknown publisher) when running/installing your software.
We have been using an Authenticode code signing certificate from Globalsign for years to sign our Windows 7 drivers. Since now there is a move towards new "SHA-256" code signing certificates, we got such a new certificate which works fine under Windows 8.1 or 10, but not under Windows 7.
When I install the driver, Windows ask me if I trust the publisher and offers the checkbox "always trust this publisher", i.e., it offers to save this selection for future installations. However, under Windows 7 this no longer works, i.e., I get asked every time I install the driver.
I guess this is a bug in Windows 7. Has anyone else experienced this? Is there any solution?
Yes, I've experienced exactly the same issue, which is not very convenient when you're trying to install a driver package automatically from the command-line, for instance...
And yes, there is a solution which fixed this for me, you can find a hot-fix on the Microsoft support website here.
It is not directly available, but you just have to enter your e-mail address in the form and Microsoft will send it to you.
How do I find out which certificate a windows driver uses for signature verification? I'm looking at usbhub.sys in particular (official windows driver).
Right click on usbhub.sys file, seclect Properties, then Digital Signatures, then Details and finally View Certificate.
I am trying to code sign a driver in Windows (drivers for a video capture card). I have the inf, cat, sys files for this driver. I have followed various Windows articles and so far am able to:
1) Download a "DER" file from GoDaddy and then create a "mycompanyinc.cer"
2) Use signtool to sign the .cat, .sys drivers
3) verified the .cat, .sys driver files are updated with digital certifiates.They correctly stated that its issued to "my company" and issued by "go daddy CA". I exported the above certificate to a ".cer" and put on a different computer
I used MMC to make sure it shows up in the Trusted Root Certificate Authorities on the system where I need to install the drivers. While there driver file shows correctly the information "issued by" ,"issued to" etc. Windows is still complaining during drivers install that the digital signature can't be verified.
Any help, direction in this matter will be greatly appreciated.
thanks!
Since 2016 Microsoft require a longer process along with an EV Code Signing Certificate for signing drivers.
They explain it in this article.