Re: Windows driver signing certificate purchase decision for WinPcap and Npcap

[Yang Luo <hsluoyb () gmail com>]

Hi,

I have found this link:
https://www.osr.com/blog/2015/03/18/microsoft-signatures-required-km-drivers-windows-10/,
in which it says: "*These requirements only apply to Windows 10 and later.
In fact, Microsoft plans to offer a bit of a grace period: Drivers signed
before Windows 10 RTM will be able to use the older signing mechanisms.
But once Windows 10 ships, if you want your driver to run on Windows 10
desktop systems, you’ll need to (a) get an EV certificate, (b) using that
signature submit your driver to sysdev to get Microsoft’s signature.*"

So unfortunately, I think an EV cert has become a necessity for us to sign
a driver for Win10 after Win10 RTM release date.

Cheers,
Yang


On Wed, Jul 22, 2015 at 12:33 AM, Gerald Combs <gerald () wireshark org> wrote:

> On 7/21/15 3:40 AM, Graham Bloice wrote:
> > On 21 July 2015 at 11:25, Pascal Quantin <pascal.quantin () gmail com
> > <mailto:pascal.quantin () gmail com>> wrote:
> >
> >
> >     Le 21 juil. 2015 11:38 AM, "Graham Bloice" <
> graham.bloice () trihedral com
> >     <mailto:graham.bloice () trihedral com>> a écrit :
> >     >
> >     >
> >     >
> >     > On 21 July 2015 at 07:06, Pascal Quantin <pascal.quantin () gmail com
> <mailto:pascal.quantin () gmail com>> wrote:
> >     >>
> >     >>
> >     >> Le 21 juil. 2015 4:15 AM, "Yang Luo" <hsluoyb () gmail com <mailto:
> hsluoyb () gmail com>> a écrit :
> >     >> >
> >     >> > Hi list,
> >     >> >
> >     >> > There's only 8 days left for Win10 RTM. It seems that both
> WinPcap and Npcap need to decide which kind of Windows driver signing
> certificate to buy. There are two kinds of certs: EV cert and non-EV cert.
> >     >> >
> >     >> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert
> is complicated to use (has to use a hardware key) and much more expensive.
> You should have found out that current Npcap driver CAN be successfully
> installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
> for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
> turns out to be: "To ensure backwards compatibility, drivers which are
> properly signed by a valid cross-signing certificate that was issued before
> the release of Windows 10 will continue to pass signing checks on Windows
> 10." (see for details:
> http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx
> ).
> >     My English is not that good, but I think this sentence means that if
> >     you buy a non-EV cert before Win10 release (AKA 2015/7/29), you can
> use
> >     the cert to sign a driver to any platform including Win10 until it
> >     expires. So you can just buy a 3-year long cert before 7/29 and use
> it
> >     to sign any drivers for these 3 years. 3 years later, we have no
> other
> >     choice but to buy an EV cert, but who knows whether Microsoft would
> >     change its driver signing policy again then?
> >     >> >
> >     >> > Am I understanding it right?
> >     >> >
> >     >>
> >     >> Hi Yang,
> >     >>
> >     >> That's not my understanding. What matters here is the driver
> signing timestamp, and not the expiry date of your certificate.
> >     >> You have 3 cases:
> >     >> - a driver signed with a timestamp prior to the 29th of July will
> still load for backward compatibility (same rules as previous Windows
> versions)
> >     >> - for drivers with a signature timestamp from the 29th of July or
> later, you need to upload your signed driver on Microsoft portal to get a
> counter signature that will allow to install it on Windows 10
> >     >> - 90 days after the 29th of July, the portal will not accept
> anymore drivers not signed with an EV certificate
> >     >>
> >     >> So as you see the grace period will be short and you cannot
> escape from the purchase of an EV certificate (unless you hurry up to
> Polish your driver before the deadline;)). Even the counter signature step
> seems a bit painful (I have not tried it myself yet).
> >     >>
> >     >> Pascal.
> >     >
> >     > I agree the intentions are not clear.  The statement "To ensure
> backwards compatibility, drivers which are properly signed by a valid
> cross-signing certificate that was issued before the release of Windows 10
> will continue to pass signing checks on Windows 10." implies to me that
> it's the date of the cross-signing certificate that counts.
> >     >
> >     > IMHO if it was the driver signing date, then the sentence should
> have read "... drivers which are properly signed by a valid cross-signing
> certificate that were signed before ..."
> >     >
> >     > Currently, when signing kernel-mode drivers you currently have to
> use the MS cross-signing appropriate to the issuer of your SPC.  I checked
> the one we use in the day job, it was issued Feb 22 2011 and it's valid
> until Feb 22 2021.  Of course MS may revoke that cert, but then existing
> signed drivers for Windows < 10 will also fail.
> >     >
> >     > I'll try to get some clarity on this.
> >     >
> >
> >     If this is the case it would be very good news, but in that case I do
> >     not understand the 90 days deadline for the driver submission without
> >     EV signing on Microsoft portal.
> >     Anyway we will get the answer very soon :)
> >
> >
> >
> > Maybe they expect a big rush of driver signing requests with the release
> of
> > Win 10, and know that the EV requirement will take time to get in place.
>
> That might be the case. Yesterday I started the process of obtaining an EV
> certificate for the Wireshark Foundation. The order status page currently
> says
>
> "DigiCert has verified the organization details listed above, and we are
> ready to issue your certificate as soon as the other validation
> requirements are taken care of."
>
> Hopefully "other validation requirements" doesn't translate to "a four
> month backlog which suddenly appeared due to a major operating system
> release."
>
> In the mean time our regular (lightly-validated?) certificate doesn't
> expire until next July.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe