none
Singing driver completed, but driver has not been signed by attestation. RRS feed

  • Question

  • Singing driver completed, but driver had not been signed by attestation.

    We are a developer of a Windows application that has a few kernel mode drivers.
    We using Digicert SHA256 certificates.
    We have purchased the EV certificate.
    We were pass WHLK test. We use our EV certificate to sign this .hlkx file and Sign in to the Partner Center, and then select Submit new hardware.
    When we get our driver files back, they will have MS certificate on the file's Properties, Digital Signature, page.
    But driver had not been signed by attestation. 

    Reference weblink: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions

    How to validate the Microsoft signature
    1. To check the EKU, right-click the .cat file and click Properties. Click the Digital Signatures tab, click the name of the certificate, and then click Details.
    2. On the certificate Details tab, click Enhanced Key Usage. There you will see the EKUs and corresponding OID values for the certificate. In this case, the Windows Hardware Driver Verification OID ends with a 5, which means the driver has not been signed by attestation:

    To check my .cat file and Properties information include.
    Windows Hardware Driver Extended Verification (1.3.6.1.4.1.311.10.3.39)
    Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5)
    Code Signing (1.3.6.1.5.5.7.3.3) 

    Is this part of the HLK kit or during the submission to MS? Driver signed completed?

    Monday, December 16, 2019 3:35 AM

Answers

  • No, that's absolutely NOT what I mean.  You are confusing two different things.  WHLK signing and attestation signing are two different processes.

    If you are able and willing to do the full WHLK suite and submit the results, the signed package you get back is WAY better than attestation signing, because it works on all Windows versions.

    Attestation signing is the second choice -- the fallback position -- the cheap substitute.  An attestation-signed package ONLY works on Windows 10.  You only go through the attestation path if you can't or don't want to do WHLK testing.

    What I'm saying is you don't WANT attestation signing.  If you are doing WHLK, then just forget about attestation signing.  It is of no use to you.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    • Marked as answer by Giminc Wednesday, December 18, 2019 1:40 AM
    Tuesday, December 17, 2019 7:20 AM

All replies

  • I'm not sure what you're asking.  Attestation signing is a "fall back" option if you can't or don't want to submit the full WHLK test suite.

    If you want to check the signatures, just do

        signtool verify /v /kp xxxx.sys (or xxxx.cat)

    As long as the certificate chains end in the Microsoft Code Verification Root, you are fine.

    Why do you think there is a problem?  As long as you downloaded it from the Partner Center, the files are signed.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Monday, December 16, 2019 7:33 AM
  • You mean if we want get Attestation signing we just test full WHLK test suite and submit it. right?
    Monday, December 16, 2019 10:18 AM
  • No, that's absolutely NOT what I mean.  You are confusing two different things.  WHLK signing and attestation signing are two different processes.

    If you are able and willing to do the full WHLK suite and submit the results, the signed package you get back is WAY better than attestation signing, because it works on all Windows versions.

    Attestation signing is the second choice -- the fallback position -- the cheap substitute.  An attestation-signed package ONLY works on Windows 10.  You only go through the attestation path if you can't or don't want to do WHLK testing.

    What I'm saying is you don't WANT attestation signing.  If you are doing WHLK, then just forget about attestation signing.  It is of no use to you.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    • Marked as answer by Giminc Wednesday, December 18, 2019 1:40 AM
    Tuesday, December 17, 2019 7:20 AM
  • Thanks for your detail information

    Wednesday, December 18, 2019 2:57 AM