[wdmaudiodev] Re: Driver Code Signing

  • From: Tom Duffy <tduffy@xxxxxxxxxx>
  • To: wdmaudiodev@xxxxxxxxxxxxx
  • Date: Thu, 14 Apr 2016 11:19:39 -0700

i.e. SHA256 certs that were issued prior to Windows 10 RTM work, but
SHA256 certs that were issued after Windows 10 RTM only work in
Windows 10 if the package is "sysdev'ed", or is that only if
"secure boot" is on?


On 4/14/2016 10:51 AM, Tim Roberts wrote:
Leonard Shoell wrote:
Our old certificate has finally expired, so now we need to upgrade to the EV certificate. I'm trying to understand exactly what we need for the various versions of Windows and can't find a definitive statement from Microsoft.

Going forward we are only planning on supporting Win 7 and newer, sp WP and Vista are not in the equation.

Last year on this forum there was a discussion that indicated we'd probably need one driver package for Win 10, signed with an EV certificate and a separate package for Win 7, 8 & 8.1 signed with a SHA1 certificate.

Is this what you are still finding works best? Symantec is telling me we only need a EV certificate, but I assuming in practice you've found there are problems with this solution, such as, it won't work on some versions of Windows if the appropriate updates haven't been applied.

They have certainly made things difficult.  Remember that SHA256 and EV
are not the same thing.  All EV certificates are SHA256, but the reverse
is not true.

Here are the facts as they currently exist.

SHA1 works on 7, 8, 8.1, and 10 (and, of course, XP and Vista).

SHA256 works on 7 with KB3033929, 8, 8.1, and 10.

Starting with the "anniversary update" of Windows 10 coming this summer,
codenamed Redstone, if someone does a fresh install of Windows 10 (not
an upgrade) and has "secure boot" turned on in their BIOS, no
self-signed binaries will be accepted at all.  You will need to submit
your driver package to the "sysdev" portal for attestation signing.
This is the same web site used to submit for WHQL.  Creating a sysdev
account requires an EV certificate -- that's where the EV comes in.  The
signed package you get back is signed ONLY for Windows 10.  That's where
the "one package for Win 10, one for everything else" thing comes in.
(I guess it's actually "one package for Win 10 RS fresh install with
secure boot, one for everything else.)

This ill-conceived and valueless attestation concept is going to be an
ENORMOUS support burden for the entire Windows hardware community.  The
driver packages currently in the wild will work just fine for the great
majority of Windows users, but people who buy a new computer with a
fresh install where the manufacturer happened to turn on secure boot are
going to get driver failures, and they won't know why.  I hope the
vendors are all educating their telephone support teams on how to check
for a fresh install and secure boot.

NOTICE: This electronic mail message and its contents, including any attachments hereto 
(collectively, "this e-mail"), is hereby designated as "confidential and 
proprietary." This e-mail may be viewed and used only by the person to whom it has been sent 
and his/her employer solely for the express purpose for which it has been disclosed and only in 
accordance with any confidentiality or non-disclosure (or similar) agreement between TEAC 
Corporation or its affiliates and said employer, and may not be disclosed to any other person or 


WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe:    mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe:  mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator:    mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx


Other related posts: