[wdmaudiodev] Re: How to sign up with MS with the Win10 driver no charge "attestment" option

  • From: Tim Roberts <timr@xxxxxxxxx>
  • To: "wdmaudiodev@xxxxxxxxxxxxx" <wdmaudiodev@xxxxxxxxxxxxx>
  • Date: Fri, 9 Oct 2015 18:13:22 -0700

Paul Titchener wrote:

Tim, thanks for your help.

Yes, we have an EV2 cert, we’ve used it up to now for signing our pre
Win10 driver files. However our current cert was only issued in Sept.
so I don’t we can use it for Win 10 installations without the
additional MS certification.

Right, you need attestation, but attestation REQUIRES the EV
certificate. That's why I asked.



Just to make sure I fully understand your directions below, when we
make the .cab file should we use our signed .cat, .sys and .inf files
and then sign the resulting .cab file?

Or do we use unsigned .cat, .sys and .inf files and only sign the .cab
file?

The only requirement is that the CAB be signed. Microsoft will throw
out your CAT file and create a new one, marked for Windows 10 ONLY,
signed with their certificate. They will also add their certificate to
any binary files in the package. Originally, some of us thought this
would allow these files to work on all of the operating systems: we
could sign the SYS with our SHA1 certificate, and submit it for SHA2
attestation. However, it turns out that XP and Vista can't handle files
with multiple certificate chains, so that idea went down the tubes. The
signed SYS file you get back will work on Windows 7 and 8, but the CAT
file will not.

So, you now need at least two driver packages: one signed with SHA1 for
use on Win 8.1 and earlier, and the attested package for Win 10.

(You can't sign an INF.)

--
Tim Roberts, timr@xxxxxxxxx
Providenza & Boekelheide, Inc.

Other related posts: