none
Do we need to sign filter drivers with EV certificate for Windows 10? RRS feed

  • Question

  • I have a lower filter driver for the USB driver. It is working fine in Windows 7 with normal code signing certificate. Do I need to sign the filter driver with EV certificate before installing in Windows 10? Please be specific in your reply. My doubt is about FILTER DRIVERS only.

    My doubt primarily arises from the fact that I installed the driver signed with normal code signing certificate in Windows 10 version 1703 and I did not face any issues.

    • Edited by Sudharsan62 Thursday, October 19, 2017 1:17 PM
    Thursday, October 19, 2017 1:12 PM

Answers

  • Your understanding is not correct.  Your driver package has to be signed BY MICROSOFT in order to be installed on a Windows 10 system where "Secure Boot" is set in the BIOS.

    You can get Microsoft's signature in two ways: by running the WHQL tests and submitting the test results, or by submitting your driver package for attestation signing.  Both of those things require that you submit your driver through the "developer hardware dashboard".  The problem is that creating a "developer hardware dashboard" account requires an EV certificate.

    Once you have the account set up, submitting is easy, but there's some pain to establishing the account.



    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, July 13, 2018 12:49 AM

All replies

  • Hi,

    As I see there is no reply here for the query. I have something similar stuck where I have developed a User mode driver (a virtual printer driver which is not associated with any hardware like this filter driver) and I am not sure whether I need EV certificate and hardware submission for the driver to work. In my understanding a standard code signing certificate is sufficient to sign my driver and get it installed on windows 10.

    Can you help me with your experience? 

    Thursday, July 12, 2018 10:03 AM
  • Your understanding is not correct.  Your driver package has to be signed BY MICROSOFT in order to be installed on a Windows 10 system where "Secure Boot" is set in the BIOS.

    You can get Microsoft's signature in two ways: by running the WHQL tests and submitting the test results, or by submitting your driver package for attestation signing.  Both of those things require that you submit your driver through the "developer hardware dashboard".  The problem is that creating a "developer hardware dashboard" account requires an EV certificate.

    Once you have the account set up, submitting is easy, but there's some pain to establishing the account.



    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, July 13, 2018 12:49 AM
  • Hi Tim,

    Thanks for the answer. But there seems to be an issue with this too.

    As I am having a virtual printer driver and not a real one, my driver is not associated with any kind of hardware. The tests required for printer driver submission in "developer hardware dashboard" require a real, physical printer to run which is not my case. 

    Can you guide me as to how to proceed with this issue? I mean is there any way to test virtual drivers via portal?

    Friday, July 13, 2018 8:55 AM
  • Well, I posted same query to MSDN doc in github and they gave me a confirmation that we can use usermode drivers without signing in windows 10.

    Can see the query thread here:

    https://github.com/MicrosoftDocs/windows-driver-docs/issues/654

    Although my own experience is that even user mode drivers need signing. 

    So combining the two above, it seems my understanding is correct about user mode drivers that we do need signing but not windows portal submission rather standard certificate signing is sufficient, which answers the first question here.

    But unfortunately my understanding about XPSDrv sample driver was wrong. I used it as a base to develop my virtual printer driver and I come to know that it is a kernel mode driver as pointed out in the same thread above.

    Now, I have following doubts:

    1- As I have read that printer drivers are user mode only and as XPSDrv sample driver also doesn't have any kernel mode then why is it compiled as kernel mode driver? And is it just about Platform Toolset which changing to user mode will fix the issue or thats not how it works?

    2- How can i change a kernel mode driver to user mode one? In my driver, i only have a GPD, INF and pipeline config file and no custom kernel components, so i guess there has to be a way to convert it into user mode.

    3- Is there any means to check whether a driver present in system is kernel mode or user mode?


    • Proposed as answer by Nirvanaa Wednesday, July 18, 2018 11:37 AM
    • Edited by Nirvanaa Wednesday, July 18, 2018 1:18 PM
    Wednesday, July 18, 2018 11:37 AM