Wireshark-dev: Re: [Wireshark-dev] Windows driver signing certificate purchase decision for Win

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Tue, 21 Jul 2015 08:06:08 +0200


Le 21 juil. 2015 4:15 AM, "Yang Luo" <hsluoyb@xxxxxxxxx> a écrit :
>
> Hi list,
>
> There's only 8 days left for Win10 RTM. It seems that both WinPcap and Npcap need to decide which kind of Windows driver signing certificate to buy. There are two kinds of certs: EV cert and non-EV cert.
>
> AFAIK, I think we don't need to buy an EV cert yet, as EV cert is complicated to use (has to use a hardware key) and much more expensive. You should have found out that current Npcap driver CAN be successfully installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason turns out to be: "To ensure backwards compatibility, drivers which are properly signed by a valid cross-signing certificate that was issued before the release of Windows 10 will continue to pass signing checks on Windows 10." (see for details: http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx). My English is not that good, but I think this sentence means that if you buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the cert to sign a driver to any platform including Win10 until it expires. So you can just buy a 3-year long cert before 7/29 and use it to sign any drivers for these 3 years. 3 years later, we have no other choice but to buy an EV cert, but who knows whether Microsoft would change its driver signing policy again then?
>
> Am I understanding it right?
>

Hi Yang,

That's not my understanding. What matters here is the driver signing timestamp, and not the expiry date of your certificate.
You have 3 cases:
- a driver signed with a timestamp prior to the 29th of July will still load for backward compatibility (same rules as previous Windows versions)
- for drivers with a signature timestamp from the 29th of July or later, you need to upload your signed driver on Microsoft portal to get a counter signature that will allow to install it on Windows 10
- 90 days after the 29th of July, the portal will not accept anymore drivers not signed with an EV certificate

So as you see the grace period will be short and you cannot escape from the purchase of an EV certificate (unless you hurry up to Polish your driver before the deadline;)). Even the counter signature step seems a bit painful (I have not tried it myself yet).

Pascal.