Re: Windows driver signing certificate purchase decision for WinPcap and Npcap

[Pascal Quantin <pascal.quantin () gmail com>]

Le 21 juil. 2015 11:38 AM, "Graham Bloice" <graham.bloice () trihedral com> a
écrit :
> On 21 July 2015 at 07:06, Pascal Quantin <pascal.quantin () gmail com> wrote:
> > Le 21 juil. 2015 4:15 AM, "Yang Luo" <hsluoyb () gmail com> a écrit :
> > > Hi list,
> > >
> > > There's only 8 days left for Win10 RTM. It seems that both WinPcap and
Npcap need to decide which kind of Windows driver signing certificate to
buy. There are two kinds of certs: EV cert and non-EV cert.
> > > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
complicated to use (has to use a hardware key) and much more expensive. You
should have found out that current Npcap driver CAN be successfully
installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
turns out to be: "To ensure backwards compatibility, drivers which are
properly signed by a valid cross-signing certificate that was issued before
the release of Windows 10 will continue to pass signing checks on Windows
10." (see for details:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
My English is not that good, but I think this sentence means that if you
buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
cert to sign a driver to any platform including Win10 until it expires. So
you can just buy a 3-year long cert before 7/29 and use it to sign any
drivers for these 3 years. 3 years later, we have no other choice but to
buy an EV cert, but who knows whether Microsoft would change its driver
signing policy again then?
> > > Am I understanding it right?
> >
> > Hi Yang,
> >
> > That's not my understanding. What matters here is the driver signing
timestamp, and not the expiry date of your certificate.
> > You have 3 cases:
> > - a driver signed with a timestamp prior to the 29th of July will still
load for backward compatibility (same rules as previous Windows versions)
> > - for drivers with a signature timestamp from the 29th of July or later,
you need to upload your signed driver on Microsoft portal to get a counter
signature that will allow to install it on Windows 10
> > - 90 days after the 29th of July, the portal will not accept anymore
drivers not signed with an EV certificate
> > So as you see the grace period will be short and you cannot escape from
the purchase of an EV certificate (unless you hurry up to Polish your
driver before the deadline;)). Even the counter signature step seems a bit
painful (I have not tried it myself yet).
> > Pascal.
>
> I agree the intentions are not clear.  The statement "To ensure backwards
compatibility, drivers which are properly signed by a valid cross-signing
certificate that was issued before the release of Windows 10 will continue
to pass signing checks on Windows 10." implies to me that it's the date of
the cross-signing certificate that counts.
> IMHO if it was the driver signing date, then the sentence should have
read "... drivers which are properly signed by a valid cross-signing
certificate that were signed before ..."
> Currently, when signing kernel-mode drivers you currently have to use the
MS cross-signing appropriate to the issuer of your SPC.  I checked the one
we use in the day job, it was issued Feb 22 2011 and it's valid until Feb
22 2021.  Of course MS may revoke that cert, but then existing signed
drivers for Windows < 10 will also fail.
> I'll try to get some clarity on this.

If this is the case it would be very good news, but in that case I do not
understand the 90 days deadline for the driver submission without EV
signing on Microsoft portal.
Anyway we will get the answer very soon :)

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe