I'm a little bit confused about windows certification. I want to ask some questions, one of my questions is that, Is it necessary driver sign by a trusted third party company for windows doesn't show a dialog box about security during installation? I'm asking this question related this paper that its link is "http://msdn.microsoft.com/en-us/library/windows/hardware/ff544703(v=vs.85).aspx" on msdn.
Actually my goal is during installation my product, windows doesnt prompt this dialog box. for it, does it necessary pass HCK tests?
another question is that, What is the Windows Logo?
my last question is, can I make a third party trusted certificate with a makecert.exe?
thanks a lot and best regards.
Tunahan
Having a signed application/driver will remove the warning that you are referring to. In Windows 8 you MUST sign your code or it will be blocked from installing (unless you disable driver signature check).
You need to buy a code signing certificate from a third party vendor like Digicert or Thawte. Since you're making drivers, you need to determine what type of certificate is required. If this is a kernel mode driver then you need a special kind of certificate. It is usually different than a certificate used to sign a user space application. On a side note, if you sign a user space application the user will still be prompted to allow but just won't have the scary red warning image.
So, to answer your questions
Is it necessary driver sign by a trusted third party company for windows doesn't show a dialog box about security during installation?
Yes.
2.
does it necessary pass HCK tests?
Yes, unless you fall under the unclassified category. See here
http://msdn.microsoft.com/en-us/library/windows/hardware/gg463036.aspx
3.
What is the Windows Logo?
Just a logo. Shows that your hardware is Windows certified. It's like getting USB certified so that you can put a USB compliant sticker on your hardware.
4.
can I make a third party trusted certificate with a makecert.exe?
No. Go buy one from a vendor. We use Digicert because they have fair prices and I like the security of the hard token.
Update for Windows 10:
Kernel mode drivers now have more stringent signing requirements. The above information is specific to user-mode applications and drivers. For a great Q/A session see this blog link from OSR: https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/
Related
Microsoft SmartScreen, well-known for its message:
Windows Defender SmartScreen prevented an unrecognized app from starting
is useful for end users to avoid malware, but can also harm indie developers because when they distribute binaries: the end users see frightening messages, and that is a problem for the developer's reputation (see someone's comment "My customers often think that I am purveying a virus, malware or something illegitimate and they tell their friends and I lose sales"):
Smart-Screen filter still complains, despite I signed the executable, why?
Even with a paid certificate, if software-release1.0.1.exe is finally whitelisted, when you release software-release1.0.2.exe update, the messages will come again:
Transferring Microsoft SmartScreen reputation to renewed certificate
The only solution seems to be Extended "EV code signing" which can be 300-500$ per year (this fixed fee makes the tax % higher for small indie developers).
Question: is there a way to get a .exe whitelisted immediately (or a few days) for all users - and not only on my own computer - by submitting it to Microsoft for analysis?
I have seen this link: https://www.microsoft.com/en-us/wdsi/filesubmission, has someone been able to use it successfully to avoid further SmartScreen alerts? (it seems that no).
Are there other methods? Such as automatically deploying 100 VMs via an automated script, and let each VM download and install the .exe automatically? But this would probably be from the same IP, then Microsoft will probably increase the reputation counter by +1 instead of +100?
As you said in your question, the first solution for having trusted software is code signing with EV certificate But, another tricky solution is increasing reputation of your software. As Microsoft said here :
Reputation-based URL and app protection
If a URL, a file, an app, or a certificate has an established
reputation, users won't see any warnings. If, however, there's no
reputation, the item is marked as a higher risk and presents a warning
to the user.
So in the last paragraph of your question, you mentioned about creating mass docker containers or virtual machines for increasing trust and reputation. I complete it with a solution for same IP address in each VM or container.
The solution is using TOR as a proxy in all of your VM's or containers.
With using tor you can create proxy which is connected inside TOR network and hide your real IP address in your virtual machines or containers. Tor is free for use and you can connect your nodes to it's network as many as you want and change your IP address frequently. Also it is better to have different version of windows in some of your VM's. Remember before that you must submit your software for malware analysis,
I have what appears to be a valid signed Electron Windows application. I am using Electron Builder to sign the app for Windows with the same Apple .p12 certificate that we use to sign the app for macOS. The Electron Builder website mentions the following:
Code Signing Certificate shows a warning during installation that goes
away once enough users installed your application and you’ve built up
trust.
https://www.electron.build/code-signing#where-to-buy-code-signing-certificate
How long does it take for this trust to build up?
Here is a screenshot showing the certificate details in Windows:
Windows SmartScreen lists the publisher for the app as "Unknown publisher". Is there something I am missing here?
Even though this sounds irresponsible, answer is you never know when your application will earn enough reputation to pass smartscreen filtering. it's not static / fixed time period.
https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/#smartscreen
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”
Unless you use EV cert, the only way to accelerate this is to publish your application and meaningful numbers of user download & installs without malicious behavior.
It has come to my attention that code signing certificates are from now on required to be paired with physical tokens.
The Minimum Requirements specify that CAs shall ensure stronger protection for private keys. As such, all Code Signing Certificates, not just Extended Validation level, will require a USB token starting on January 30, 2017. With this, all New and Renewal Standard Code Signing orders will be sent a USB token to store the certificate and protect the private key. Also, all standard Code Signing products except for EV Code Signing will be integrated to one “multi-platform” Code Signing Certificate.
Note: Reissues of existing Code Signing Certificates (issued prior to 30 January 2017) will not require a token right away. However, this is subject to change.
As someone who uses a cloud-only workflow, this raises an obvious concern for me - I cannot just plug this USB token into "the cloud".
Do I understand it right that I will from now on need to set up a separate on-premise code signing process? Or is there some possibility remaining for signing code in the cloud? What are the expectations I should have for working under the new rules?
Based on the article you linked it sounds like you will absolutely need to provide your build system access to a USB key in order to sign your artifacts. As you mention the obvious solution (and probably what Microsoft is attempting to encourage) is to set up an on-premise build system that gets used exclusively for code signing.
From a security point of view this is probably the best option since you could harden that machine both in terms of software but also in terms of hardware (e.g. locked in a closet in your work area). But this might also not be realistic depending how your build system is set up.
Your other option is to use a USB forwarding solution to forward the USB key to your cloud environment. There are a lot of ways to do this and the best one is going to depend on what you're building and on what operating system(s) but here's a rundown of some options:
Linux systems - USB/IP - This is a kernel module and userspace application provided with a good number of Linux distributions (it's a mainline module, but not always included). This lets you take a local USB device and forward it over the network to another Linux machine. I've had pretty good luck with this but setting it up the first time can be a little tricky.
Windows Systems - RemoteFX forwarding over RDP - On newer Windows systems (Windows 10, Server 2012 R2+) Remote Desktop supports USB redirection natively. You can simply forward the USB key through a RDP session. This would require you to remain connected at all times while building though.
Windows Systems - Third Party Software - There are several third party USB forwarding solutions available. For instance this one. Some of these have the advantage of being able to run without requiring an active desktop session.
The gotca with all of these solutions is that if the USB token is designed to actively prevent this (or is somehow otherwise incompatible with forwarding) it may not work. Some license keys for instance will check to make sure the timings to/from the computer are within a certain tolerance for instance. In those cases the added latency from the cloud to your machine would cause the token to not work. It'll all depend on the USB key you get sent.
The whole point of policies like this is to prevent you as the keyholder from accidentally losing control of your key material by giving you something you must physically possess in order to use your key. Cloud build systems are convenient but tend in general to have a much wider security landscape which makes securing keys trickier than on-site systems. It looks like Microsoft and your CA are attempting to prescribe how keys are being handled.
We offer a Windows program downloadable as an InstallShield EXE from our website.
When someone running IE9 attempts to download and run our software, they see the following message at the bottom of their screen:
PROGRAMNAME.exe is not commonly downloaded and could harm your computer.
[DELETE] [ACTIONS] [VIEW DOWNLOADS]
I've read http://blogs.msdn.com/b/ie/archive/2011/03/22/smartscreen-174-application-reputation-building-reputation.aspx
It suggests:
Digitally sign your programs with an
Authenticode signature.
Ensure downloads are not detected as
malware.
Apply for a Windows Logo.
We've done all three things. Our EXE is digitally signed with an authenticode signature (and the bar above the warning message is orange, not red, indicating that IE9 recognized and verified the signature). Our download is not detected as malware by any antivirus program we've tried. And we have applied for and received a Windows Logo.
As yet, most of our customers are not using IE 9. But this is very troublesome to those who do. Is there anything else we can do about this, or do we just have to wait until a critical mass of customers have downloaded this software before this message will go away?
(Does that mean when we release a new version, all IE 9 users will get this message again until enough of them have downloaded it?)
UPDATE 2011-06-14:
Thanks, #EricLaw-MSFT. URL is http://dakim.dakiminc.netdna-cdn.com/DakimBrainFitness.exe . (It's found on the "Download Free Trial" button on http://www.dakim.com .)
We've only been offering downloadable trials for a short while. Our primary distribution method is installation DVDs.
Extended Validation Code Signing Certificates don't suffer from the need to build reputation slowly according to this post:
Reputation is generated and assigned to digital certificates as well as specific files. Digital
certificates allow data to be aggregated and assigned to a single certificate rather than many
individual programs. Although not required, programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. EV code signing certificates also have a unique identifier
which makes it easier to maintain reputation across certificate renewals. Only Authenticode
Certificates issued by a CA that is a member of the Windows Root Certificate Program can establish
reputation.
At this time, Symantec and DigiCert are offering EV code signing certificates.
In an effort to improve my answer, I've added a link to a similar question I asked and eventually answered myself.
I have made an application for Windows & everytime I run the application by opening the executable file I get the "Publisher Unverified" warning in Windows. It is fine if I was the only audience for this app but thats not the case. Is there any way to program my app such that this message does not show up for the users.
The only way to do this is to obtain and use a code signing certificate from a trusted source. Microsoft calls this Authenticode.
Unfortunately for the little guy, these cost. Verisign sells theirs for about four hundie a year.
Here are some starting points you should read about Authenticode:
http://msdn.microsoft.com/en-us/library/ms537359(VS.85).aspx
http://technet.microsoft.com/en-us/library/cc750035.aspx
http://msdn.microsoft.com/en-us/library/aa379872(VS.85).aspx
Some certificate dealers:
http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com
For a cheaper code signing certificate, you can use Comodo. There is a reseller called KSoftware which sells their certificates for $99/yr:
http://www.ksoftware.net/code_signing.html
I used them a few years ago and had no problems.
You can then use SignTool from the .net SDK to sign your EXE files. There is a tutorial here:
http://www.tech-pro.net/code-signing-for-developers.html
I think there is a way to resolve this. We need to add digital signature to the executables. The way to add digital signatures is very nicely outlined at,
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
Basically we will use OpenSSL to create our own digital signatures and then use the SignTool application by Microsoft to add it to our executable.