Windows Driver Signing Bullshit

You’re probably thinking “what’s taking this guy so long to push out releases”. Well, apart from my permanent lack of time (job, life, you know the drill) it’s some bullshit called Driver Signing. What is that and why should you care? Read on…

Background

Long story short: every version of Windows we care about (starting with 7, skipping Vista) enforces certain restrictions when you’re dealing with the installation of a device driver. The major one is the driver files signature. Since other people smarter (and older) than me have already tackled this topic I’ll just blatantly steal a quote from David Grayson:

If you have ever installed some software or drivers in Windows, you have probably seen a dialog telling you the name of the company or person that published that software. This means that the publisher has cryptographically signed their work. Signing your software is important: by showing a nicer dialog to the end user, it gives end users more confidence that they are not installing malware. In the case of device drivers, signing is even required by certain versions of Windows in certain situations.

If you’re interested in the whole story of signing Windows drivers I recommend you read the whole article I linked above.

Another quote from an article of a bloke at PiXCEL:

What’s not immediately clear with Windows 8 is that an unsigned 32 bit Windows 7 driver may (but probably will not) load, and an unsigned 64 bit driver definitely will not . The usual error is a message that the installation failed, or that an unnamed file cannot be found. These error messages are particularly unhelpful and don’t accurately reflect the cause of the failure.

So in summary: a working signature is inescapable if you wan’t to release drivers to the public, got it. Therefore I acquired an Extended Validation Code Signing Certificate from GlobalSign based on David Grayson’s experiences and recommendations (which was ridiculously expensive for the community work I use it for but that’s for yet another post).

The Problem

OK I really want to keep this as short and non-boring as possible but this is important. You’ll find a whole truck-load of articles on MSDN and the general interwebz. Everybody is talking about the new requirements for signing for Windows 10 Anniversary Update and how these requirements have been tightened even more when UEFI Secure Boot is enabled and yaddi-yadda and so on and so forth. Now that I also have access to their brand new developer dashboard I can finally request a signature from Microsoft which will allow my drivers to get loaded even on the latest Windows 10 with Secure Boot on. Great! But. What about Windows 8(.1) and 7? They’re still around aren’t they. Well too bad for you, the portal doesn’t give you the options for those:

And I know this fact is documented in MSDN:

As an alternative to HLK and HCK testing, you can cross-sign your driver yourself and submit it to the dashboard for attestation signing so that it also works on Windows 10. This is more complicated, but still a valid option. But it’s important to note that a submission signed this way will not work on Windows Server 2016. For more information about how to attestation sign a driver, see Attestation signing a kernel driver for public release. Important You must still use Hardware Dev Center (Sysdev) to attestation sign a driver until driver signing is available through the new Windows Hardware Dev Center dashboard.

But what’s that good for?! Thanks for telling me I’m just wasting my time with the portal! But what’s this:

Use the Hardware Lab Kit (HLK) to test your submission against Windows 10 and use the Hardware Certification Kit (HCK) to test against earlier versions of Windows. Then create a dashboard submission that includes all the merged HLK/HCK test results. During the submission process, you can opt-in to get a free signature for Windows Vista and Windows XP, as shown later in this topic. To opt-in for Windows Server 2008, provide a submission ID from a Windows Logo Kit (WLK) submission. This is the only way to make a submission apply to all Windows versions.

Ah, use the Hardware Lab Kit, you say? You mean this piece-of-shit Software that requires yet another virtual machine running in my build environment but now with Server 2012 R2 installed? Okay, I obeyed and wen’t through multiple tries (because, as I said, piece of shit) and after even preparing a physical test machine to run the test playlist I still can only submit a package for Windows 10:

Oh excuse me, I could submit it if not for the fact that I can’t sign it because the damn tool doesn’t recognize my hardware token which you have to use if you bought an EV Certificate which you have to buy because it’s required by the same baboons who probably made the tool incompatible with the cert!

In conclusion I can say this has torn my soul more than anything else I’ve ever encountered in IT which lead to this rant post. Hopefully some Overwatch can cool me down now, see you later 😑

Regards