Wireshark-dev: Re: [Wireshark-dev] We now have an EV code signing certificate!

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Sat, 25 Jul 2015 00:47:32 +0100
On 24 July 2015 at 21:24, Gerald Combs <gerald@xxxxxxxxxxxxx> wrote:
Our (the Wireshark Foundation's) EV code signing certificate + token
arrived today. I have successfully configured the token and used it to sign
an executable.


Lots of new information here (https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/) about the new driver signing (attestation) requirements.

Things I noted:
  1. Only EV certs from Digicert and Symantec are currently supported, Globalsign and Wosign are coming.  Where's ours from Gerald?
  2. It still looks like drivers can be cross-signed by the old MS certs if they were issued before Win 10 RTM, although this can be disabled by OS config changes.  Better grab one now for our EV cert.
  3. You must build a .cab file with the driver and a .INF (even if it's just a dummy) to submit.  Only one architecture (x86, x64) per .cab
  4. The new "attestation" signing is not currently supported by the REST API's, i.e. no programmatic signing yet.
  5. You can only "attest" sign a driver for Win 10.  Drivers for earlier OS's don't need attest signing, so a "universal" installer will have to include both pre-Win10 and Win10 packages.
  6. Server vnext will only support drivers that have been signed *and* passed the HLK tests.
 
--
 
Graham Bloice