Getting a kernel mode driver signed for Windows 10

In this article I want to describe my experiences with the new (as of August 2016) driver signing issues and Windows 10.

Since the Anniversary Update of Windows 10 (version 1607, also called Redstone1), Microsoft requires new signatures on your kernel mode drivers under certain circumstances. This is called “attestation signing”. That is to say, only if certain circumstances are met — and I guess these “loopholes” will get smaller over the years — you can run drivers that were signed the “old” way (called “cross-certification”) on Windows 10.

The “new” way brings certain big changes:

  • The “old” way meant you — as the software developer — use your certificate to sign your software. Since your certificate is cross-signed by a certification authority (CA) that is (in the end) trusted by Microsoft this ensures that no one could tamper with the file and that Microsoft trusts that you are who you claim you are.
  • The “new” way means that you submit your software to Microsoft and they add their certificate, provided all the requirements are met.
  • For that, you need an EV code signing certificate, there is no way around it. This basically means, it’s more expensive and it comes on an USB hardware token (so you cannot copy it).

To give an idea of what has to be done, I describe what I did. My company, cFos Software GmbH, needs cFosSpeed, our traffic shaping driver signed for Windows 10.

Getting an EV certificate

I got the certificate from Globalsign Germany, as I always did, just this time I ordered the “extended verification” (EV) certificate. This increased the price from 429€ (about $480 as of 2016-09-02) for 3 years to 709€ (about $793)! (Note to self: in next life, run a certification authority!)

The process is kinda smooth, they require some (updated) documents (HRB printout), check that the provided contact data (email address and phone number) is correct and have you sign the agreement. They were very helpful and the whole process required some three days plus another two until I got the USB token by mail. If this is your first time you order a certificate from a CA, it might take longer, since they must check more data.

On that USB token you have to download the certificate from their website. You can do that only once, so there is no easy way to share the same certificate with several people (two teams in two offices, for example). You cannot just copy the USB token, of course.

The actual signing works as always, only now a password box pops up every time you sign. Luckily, copy-and-paste works for the password entry.

On the plus side, Microsoft SmartScreen instantly trusts files that where signed with an EV certificate. So that might ease out the roll-out of new software a bit.

Here is what Microsoft says about getting a code signing certificate.

Getting the Microsoft Signature

Prerequisites

It’s harder as I imagined (of course). Firstly, you need a Microsoft sysdev account. I don’t recall how I created that, but I gather it wasn’t that hard.

Secondly, you need to download some file (called winqual.exe)  from Microsoft (under Administration / manage certificates), sign it with your EV certificate and upload it again. This way, you only prove that your company has an EV certificate. That same certificate has to be used later to sign your submission.

Thirdly, you need to “sign” some legal documents. “Sign” luckily only means typing your name and the date and it’s almost instantly countersigned. They don’t say which documents need signing beforehand, so I guessed we might need “Windows Compatibility Program and Driver Quality Attestment Testing Agreement” and signed it. But that wasn’t enough, so I signed “Windows Certification Program Testing Agreement v1.0” as well, which seemed to be almost the same. After that, I was able to proceed further.

Submitting

Now I was able to upload our driver for signing. There are two ways of submitting:

  • Using the Hardware Lab Kit (HLK) to test your submission against Windows 10 and use the Hardware Certification Kit (HCK) to test against earlier versions of Windows. Merge the results and upload that to Microsoft.
  • Cross-sign the drivers yourself and upload to Microsoft for attestation signing. That is what I did. Microsoft mentions that drivers signed this way won’t run on Windows Server 2016 Technical Preview.

Firstly, I sign the files myself in the usual way using signtool.exe:

signtool sign /a /ac GlobalSign_Root_CA.crt /s my /n “Company name” /fd sha256 /td sha256 /tr “http://timestamp.globalsign.com/?signature=sha2” /du “http://www.example.com” cabfilename.cab

You need the “sha256” options, since SHA1 has been deprecated since 2016-01-01 and will work less and less in the future. Make sure that you use the same certificate you used to sign winqual.exe earlier on.

Secondly, you need to put the .SYS driver file and its .INF file into one .CAB archive into a subdirectory. Here is a description from Microsoft on how to actually pack the files and sign them by yourself. Note, that I used CABARC instead of MAKECAB to pack the files:

md driver
copy driver.sys driver.inf driver
cabarc -p -r N cabfilename.cab driver\*

I chose to include our .CAT file as well, even though the submission process will create one for you. I don’t know yet if that was a good or bad choice, both ways seem to work.

Thirdly, sign that .CAB file like you signed the .SYS file (see above).

Forthly, I uploaded that signed .CAB archive to sysdev.microsoft.com. You will have to choose for which versions of Windows 10 your driver qualifies. I checked all versions, but only one architecture (x64 or x86). You can only have one architecture per submission!

… and waiting

The submission takes a while and goes through a ten step process, namely:

  1. (no idea)
  2. Transferring CAB File
  3. Scanning CAB file for Viruses
  4. Decompressing CAB File
  5. Validating HCK/HLK Submission Package
  6. Creating Catalog Files
  7. Archiving Files
  8. Parsing Driver Data
  9. Signing Catalog Files
  10. Transferring Catalog File to Server

OSR describes in this post that the whole process took them 30 Minutes. But the first time I submitted, step 5 took six days and hadn’t completed! Then I wrote an email to sysdev@microsoft.com to find out that I had built my .CAB file the wrong way (I had put all files into the root folder instead of a “driver” sub-folder) and that had apparantly hung the process. (Thanks again for a timely and succinct answer, Jack!) So If you have to wait for long period of time, it’s probably best to contact Microsoft by mail and solve the issue.

Fixing that problem and re-submitting the driver package got me an approved driver within 10 minutes! 🙂 🙂

Victory!

After that you can download the signed .SYS and .CAT files packed into a .ZIP file. When you install that driver it doesn’t pop up that box asking “Do you trust Company X?” So, that’s nice.

What’s less nice is that drivers signed like this, even though they retain our old EV signature, don’t load under Windows 8.1 and load like they have no signature at all (and thus look kinda bogus, since they have no reference to the publisher) under Windows 7. So far, I have found no way to have a single driver file that loads under all Windows 7+ operating systems.

Resources

 

Leave a Reply