24

I work for a company that sells USB devices and provides drivers for them.

In Windows 7, you could install and use unsigned INF driver files for USB devices as long as they didn't add any code to the kernel. Our company uses generic drivers provided by Microsoft (usbser.sys and winusb.sys), so we never needed to sign our driver packages.

Based on a report from one of our customers and from another Stack Overflow question What changed in the driver signature requirements for Windows 8? and the Arduino forum, it sounds like the Windows 8 Consumer Preview has stricter signing requirements that require all third-party INF files to get signed. The error message people are getting when trying to install drivers that worked on Windows 7 is:

The third-party INF does not contain digital signature information.

What is the official word from Microsoft that confirms that the signatures will still be required in the final version of Windows 8? A sentence or two from MSDN.com would be sufficient, but I can't find anything.

I am considering buying a signing certificate, but before I pay $200 I want to be sure I will actually need it in the long term. It's possible that the new signing requirement is just in the consumer preview and not in the real version?

Community
  • 1
  • 1
David Grayson
  • 84,103
  • 24
  • 152
  • 189
  • It's trivial to obtain the consumer preview. So you can find out for yourself. Hard to believe that you haven't. Also, you sell things but aren't prepared to cough up $200 for a signature?! What's that as a fraction of your company's annual profits? – David Heffernan May 25 '12 at 19:52
  • 1
    Obtaining the consumer preview would not really help make this decision. I would ideally like to step forward in time and obtain the official copy of Windows 8. And yes, I'm frugal. – David Grayson May 25 '12 at 20:41
  • 1
    About 7 months after asking this question, I wrote a big article explaining everything I have learned about the topic: http://www.davidegrayson.com/signing/ In short, Windows 8 does require you to sign your INF files but it does not have to be a WHQL signature; it just has to have a chain of trust that goes back to a certificate in the Trusted Root Certification Authorities list. – David Grayson Jul 16 '13 at 21:15

2 Answers2

20

To answer my own question: Yes, the final version of Windows 8 does require all INF files to be signed, but you do not need to submit your drivers to the WHQL. I wrote about this requirement and much more in my article Practical Windows Code and Driver Signing.

David Grayson
  • 84,103
  • 24
  • 152
  • 189
9

Not only does it require signing of INF files, it also requires them to be signed by the WHQL certificate, not the same one that you use to embedded-sign .sys files and the like. Using my Code Signing certificate on the INF file didn't work at all. (Same problems as if left unsigned.)

EDIT:

This is what Microsoft wants you to think. They said that certain classes of drivers HAVE to be WHQL signed, otherwise they won't work, and that Authenticode signing works only for those who don't have a WHQL process.

It turns out you CAN Authenticode sign driver packages, except you have to take care and sign them like you would kernel code now, which means getting the correct cross certificate for your CA (from Cross-Certificates for Kernel Mode Code Signing, there are tons of them now, including StartCom, which I have (class 2, US$60 for two years, but they can't be timestamped). Supply this cross certificate (not the same as your CA's self-signed certificate, or their intermediary certificate. It's only available on that MSDN page) to SignTool via the /ac switch.

Then use SignTool verify with the /kp switch to see if you cross signed them properly. SignTool verification with without any switches REQUIRES that the .cat files are WHQL signed, while the /pa switch, which seemed to be OK before, is now too lax, and only applies to non-driver signing (like EXE files, ClickOnce, etc.).

If you don't want to acquire your own kernel-level signing certificate (which is easier now than before, frankly, before it was limited to VeriSign's super expensive, and GlobalSign US$200-a-year ones, I guess Microsoft saw that not many people wrote kernel-level exploits for x64 systems), you can make a self-signed root CA, have your driver installer install it into the LocalMachine's "Trusted Root Certification Authority" store (see certmgr.exe), and then install the .cat file which was signed by that. Of course, since this isn't a kernel-level code certificate, you MUST use only .sys files which already have an embedded kernel-level code certificate from someone else (which means, you can only modify .inf files in driver packages). Apparently, there's some loophole that allows self-signed certificates to sign .cat files (if you made your own CA, then signed a certificate with it, then signed your .cat files with that, it won't work like this).

For a suite that does this for every driver INF package it makes, see libwdi, and how their self-signed certificates on cat files allow installation on Windows 8.

EDIT2:

Removed CERTUM "open source" developer certificate mention, as it's not cross-certified by Microsoft (The one you get isn't the Certum TRUSTED NETWORK one, that Microsoft cross-certified).

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
rajkosto
  • 97
  • 2
  • 4
  • *I am pretty sure you're wrong about that.* I got a normal certificate from Go Daddy and it worked correctly on my INF file in Windows 8 preview. I didn't have to submit anything to Microsoft. If you want some help, please write a StackOverflow question and give me more details. For an idea of the kind of details you should give, see http://stackoverflow.com/questions/12291461/signed-inf-driver-works-on-the-computer-where-it-was-signed-not-others Please post a comment here or something so I know when you have written your question. – David Grayson Oct 10 '12 at 05:42
  • I have updated my answer with about 3 days worth info of trial and error, and i have managed to get both a self-signed certificate signed .cat file going, and my own authenticode signed .cat file going (on both win8 and earlier windows versions) – rajkosto Oct 11 '12 at 04:50
  • 2
    It's `/ac`, not '/ca'. It's `/pa` not `/pe`. Also, I've been able to successfully sign simple driver packages that just consisted of an INF and CAT file without using the cross certificate; the main thing that matters is that your chain of trust goes back to something that is in the Trusted Root Certification Store. I cite personal experience and http://msdn.microsoft.com/en-us/library/windows/hardware/gg487332.aspx as my source for that. Also, for verifying driver packages, I think `/pa` is the right option to use because that's how they do it in kmcs_walkthrough.doc. – David Grayson Oct 11 '12 at 06:04
  • 1
    Yes...but that only works when you don't have any .sys files inside. Once you need to sign those as well, you must include the cross certificate. And you can't just NOT sign those (i tried, with manual .cdf files), because the whole driver package must be in the .cat file, not just the inf (even if the .sys files have embedded signatures) – rajkosto Oct 11 '12 at 06:19
  • Yes, they can be timestamped! Check with `signtool verify /v ...`. Works fine if you timestamp with `/tr "http://www.startssl.com/timestamp"`. Besides, even if StartCom didn't offer a time server, you could always use another, such as `/t http://timestamp.verisign.com/scripts/timstamp.dll`. – 0xC0000022L Aug 14 '13 at 02:25