When I install a program what I create, windows warns me that the software manufacturer cannot be verified. I tried to look it up but couldn't find any relevant guidance. How can someone become a well-known software manufacturer in the Microsoft ecosystem?
Normally Windows warns users (UAC) when installing/executing a program which hasn't digitally signed.
Code signing is used on Windows and Mac OS X to authenticate software on first run, ensuring that the software has not been maliciously tampered with by a third-party distributor or download site.
More about code signing.
You have to purchase a certificate first.
It will cost you about 500 USD per year.
You can purchase certificate from leading companies like "Digicert", "COMODO" etc.
Check prices (#digicert)
After purchasing a certificate, you have to sign your program with a 'sign tool' - You can find out how to sign your program in this question.
After these steps Windows will recognise your program as authentic. And that means, it won't warn users (as an unknown publisher) when running/installing your software.
Related
I am reading Microsoft documentation on how to sign a driver for windows 10 X64 and I am getting different information from the Microsoft website.
This document explains how to sign a driver by the developer without the need to send it to Microsoft.
This document explains how to submit the driver to Microsoft for signing.
and on other sites, the information is very different.
I need to sign my driver which I will send alongside my hardware to the user (so no need to be part of the windows update).
How can I sign it? which procedures should I follow and which certificate should I buy?
Microsoft deprecated cross-signing certificates, however, it's not clear from the docs what's the new procedure.
From the docs above MS is the sole provider but their support claims you can still get one from other vendors (e.g. Digicert, Globalsign, etc...)
Does anybody know what's the process for signing production kernel drivers for Windows 11 & 10?
Any help would be appreciated,
Thanks!
I haven't done it myself, but if you want to make a kernel module for Windows 10 or 11 I think you're supposed to use "attestation signing". The page you linked to has a link named "attestation signing" that goes here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
Basically you make a driver, sign it with an EV certificate from a certificate authority, and then you submit to be checked and signed by Microsoft using a website called the "Hardware Developer Center Dashboard portal". I have also seen Microsoft use some other names for the website: "Hardware Dev Center Dashboard" and "Partner Center".
You don't need to use the portal if you are making a simple INF-only driver, or you are using a kernal module that is part of Windows, or you are using a kernel module that was already signed properly by another party.
Here is the original announcement from 2015 introducing the portal:
https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-signing-changes-in-windows-10/ba-p/364859
There's more info in this long article I wrote: https://www.davidegrayson.com/signing/
I am trying to code sign a driver in Windows (drivers for a video capture card). I have the inf, cat, sys files for this driver. I have followed various Windows articles and so far am able to:
1) Download a "DER" file from GoDaddy and then create a "mycompanyinc.cer"
2) Use signtool to sign the .cat, .sys drivers
3) verified the .cat, .sys driver files are updated with digital certifiates.They correctly stated that its issued to "my company" and issued by "go daddy CA". I exported the above certificate to a ".cer" and put on a different computer
I used MMC to make sure it shows up in the Trusted Root Certificate Authorities on the system where I need to install the drivers. While there driver file shows correctly the information "issued by" ,"issued to" etc. Windows is still complaining during drivers install that the digital signature can't be verified.
Any help, direction in this matter will be greatly appreciated.
thanks!
Since 2016 Microsoft require a longer process along with an EV Code Signing Certificate for signing drivers.
They explain it in this article.
I'm trying to minimize the cost of code-signing certificates necessary to develop a program for Mac OS X and Windows. As far as I can tell, I can't use a 3rd party certificate to sign my OS X program and have it get past GateKeeper, as indicated here.
Can I go the other way and use an Apple Developer certificate to sign the Windows version of my program?
Also related: Non-Apple Issued Code Signing Certificate: Can it Work with Mac OS 10.8 Gatekeeper?
Had the same idea some time ago. But I don't think it's possible, because the Apple Developer Certificate is verified (signed) by Apple and I don't think that the Apple Root Certificate is installed on average Windows machines.
Hi Joe LTNS I check the status of this question every time my Comodo CS certificate comes up for renewal, because hassle/money vs Apple's
Alas, Apple's CA still not in Windows golden list AFAIK. I checked Apple Software Update under Win10 and its cert issuer is Verisign.
OT Not a cert expert here, but if Apple concocted an intermediate cert that both the CA and Apple could vouch/revoke, not a few Windows devs would pony up for Apple's $100 Dev program for that su-weet 5 year non-MAS codesign cert (and probably dabble in App Store/ios development as a bonus)
Here is a detailed article about it: http://luminaryapps.com/blog/code-signing-and-packaging-windows-apps-on-a-mac/ and more generally about code-signing Windows apps on a Mac. I quote:
Now you need to get a Windows developer certificate. Unfortunately you can't use your Apple certificate (well, actually you can, but it doesn't help because Apple isn't a certificate authority that Windows recognizes). Here is a list of root certificate authorities recognized by Windows.
So this seems to confirm the other answers.
Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.
The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the OS X codesign command...
Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?
Cannot take credit for this, but the blunt answer is:
NO
I just spent a good three days converting certificates and searching the internets to find these:
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
http://www.panic.com/blog/2012/02/about-gatekeeper/
http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/
No.
The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)
This is very confusing because:
The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)
At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.
Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.