Skip to content

How to sign the PV Drivers

Jump to bottom
Alexander Schulz edited this page Jan 1, 2019 · 3 revisions

Windows 10

ARCHIV

Sources

Step-by-step

  1. Get an EV-Certificate to be able to fully support modern Windows variants.
    • EV-Certificates (Extended Validation) is ment for Organisation/Companies. a natural person can not get an EV-Certificate.
    • EV Code Signing in the Cloud to avoid the hassle of using hardware tokens and be able to use it as an tool for the whole organisation
  2. Register at Windows Hardware Dev Center
    • you need your organisations Azure Active Directory (Azure AD) Global administrator account (or create a new one)
      • it has to have the form <name>@<organisation>.onmicrosoft.com
    • login with that at Microsoft Dev Center: http://go.microsoft.com/fwlink/?LinkID=828002
    • register with your companie details (name, address, mail, tel, ...)
    • proove you have an EV-Certificate: download, sign and upload the testfile (winqual.exe)
      • "This way, you only prove that your company has an EV certificate. That same certificate has to be used later to sign your submission."
    • 'sign' some legal documents (type name and date in)
      • "Windows Compatibility Program and Driver Quality Attestment Testing Agreement"
      • "Windows Certification Program Testing Agreement v1.0"
  3. Submitting the driver(s) at Windows Hardware Dev Center
    • "Using the Hardware Lab Kit (HLK) to test your submission against Windows 10 and use the Hardware Certification Kit (HCK) to test against earlier versions of Windows. Merge the results and upload that to Microsoft."
    • and / or
    • Cross-sign the drivers yourself (won’t run on Windows Server 2016+)

Some Knowledge

  • "Starting with Windows Vista 64-bit, kernel modules must come with a properly-signed security catalog (CAT file)"
  • additionally "in the case of a boot-start driver you are supposed to embed the signature inside the SYS file itself"
  • "The part of Windows that checks signatures for driver package installation is apparently different from the part that checks signatures for loading kernel modules, and they each impose different requirements on the signature."
  • "When it is time load a SYS file into the kernel, it seems that Windows will scan all the files in the security catalog store (C:\Windows\System32\catroot) to see if one of them contains a hash for the SYS file and an adequate signature. If it finds what it is looking for, the loading succeeds."
  • "there are additional requirements for kernel module signatures in Windows 10 1607 and later"
    • "Windows 10 kernel modules must be signed by the portal"
    • "The portal will only accept driver submissions from you if you sign them with an Extended Validation (EV) certificate"
    • !!! IMPORTANT !!! EV Certificates are only issued to organisations, not to natural persons!
    • "This post about driver signing by Christoph Lüders documents his experience purchasing an EV certificate, getting an account on the portal, and going through the attestation route"
  • https://www.globalsign.com/en/code-signing-certificate/ - EV certificate for 3 years ~ 950$
    • "an EV certificate will give you "immediate reputation with Microsoft SmartScreen", making it less likely for users to see random errors when they download signed executables from you."
    • "In particular, you won't be able to download the private key and certificate online; the private key will be provided to you on a USB token (SafeNet eToken 5100) that must be connected to your computer while making signatures."
  • https://www.certum.eu/en/cert_offer_en_open_source_cs/
    • Opensource Code Signing - 120€ incl. Hardware token
    • EV Code Signing - 3years - ~1000€ incl. Hardware token

XCP-ng 🚀 Main website / Forum / Blog / Pro support

XCP-ng's documentation has now moved to
https://xcp-ng.org/docs

Clone this wiki locally