madshi.net

In short, signing for Win 10 is the same as signing for previous Windows. Signing with an EV certificate is the same as signing with any other certificate. You just continue to use SignTool as the Madshi's MadCodeHook doc says.

-- David

Thank you! If my search for an API to signal a file handle comes up empty, and I'll do this.

I added some comments in the code which hopefully explain it better.

Perhaps your idea of hooking WaitForSingleObject could be used to replace the wait of the file handle with the wait of an event which the ReadFile hook would signal by calling SetEvent. What do you think?

Hi Iconic. Yes, Windows allows waiting for the file handle itself and not an event. That is supported. If an event is provided in the OVERLAPPED, Windows will signal it by calling SetEvent. But it also somehow signals the file handle. And I don't know what API to use to do that. I have looked throug...

Hello, I am hooking ReadFile() and the caller is basically doing something like: // Start reading file asynchronously HANDLE hFile = CreateFile(..., FILE_FLAG_OVERLAPPED, ...); BYTE bReadBuffer[10]; OVERLAPPED oRead = { 0 }; ReadFile(hFile, bReadBuffer, 10, NULL, &oRead); // Thread continues to ...

If you are interested in using a SHA-1 certificate, the last day to purchase a new or renewed one is December 31, 2015. I've written a post here: https://dcsoft.wordpress.com/2015/12/14 ... r-31-2015/

Thanks,
David

This topic is discussed in great detail here: http://www.osronline.com/showthread.cfm?link=268241 Scroll to the very end: > Just wanted to point out that there is a very helpful section in a MSFT Hardware Dev Center document for "Code Signing FAQ", which succinctly summarizes the code sign...

It's confusing, and even more because the rules for kernel mode are different than for user mode. Following your link to http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx , the only thing I could find for code sign...

MS doesn't promise SHA-1 will work on Win 10 if the cert was issued after Win 10 RTM... but it does. A couple people here say it does, and David Grayson says it does. I guess MS could break it whenever they felt like though. Madshi, you still need to use a SHA-2 cert (either EV or not) for your user...

A DigiCert SHA-1 cert issued after the Win 10 RTM date works for me on Win 10 Pro x64 with SecureBoot enabled. I tested on a Windows 8.1 Hyper-V VM (Generation 2, with SecureBoot enabled). The guest OS is Windows 10 Pro x64, Version 1511 (10586.17). SHA-1 certs (all SHA-1 certs are non-EV) will only...

madshi wrote:The problem is likely to be with SecureBoot, and I don't have a win10 VM with active SecureBoot atm.

I could test for you. BTW, Hyper-V in Win 8/10 Pro supports SecureBoot (UEFI), the host does not need to: https://technet.microsoft.com/en-us/lib ... 82285.aspx

Thanks,
David

XP SP3 and Vista only support SHA-2 for user mode. Not kernel drivers. Good to know DigiCert offers both, thank you. I have a EV SHA-2 and will ask for SHA-1.

Thanks Madshi. If you have time, could you use your SHA1-renewed-after-Win10-RTM to sign a sample driver and see if it loads in Win 10? Although it might not work in the future: https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ We do support a transitional policy for f...

I just got the new certificate today and it's SHA1. They allowed me to choose between SHA1 and SHA2 when I renewed, and for SHA2 they explicitly warned that it might not work on some older OSs. Maybe they've had enough customers complain about the lack of SHA1? I don't know. I had anticipated that ...

1. Universal Installer: Thanks @Madshi, excellent! 2. User Mode SHA-2: https://www.comodo.com/e-commerce/SHA-2-transition.php XP SP3 and later support SHA-2. We just need to get SHA-2 certs and resign our installers by January 1, and that’s it. No dual-signing is necessary. So make sure your cert is...