Windows 10 support

c++ / delphi package - dll injection and api hooking
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

1. Universal Installer: Thanks @Madshi, excellent!

2. User Mode SHA-2: https://www.comodo.com/e-commerce/SHA-2-transition.php
XP SP3 and later support SHA-2. We just need to get SHA-2 certs and resign our installers by January 1, and that’s it. No dual-signing is necessary. So make sure your cert is SHA-2, if not, you need to buy a new one (yes, even before the existing SHA-1 expires).

3. Kernel Drivers SHA-2: Are there any advantages to using a SHA1 cert for kernel drivers? I don't think so since @alfunits said his non-EV2 SHA-2 cert worked.

4. Kernel Drivers MS Portal: Under what conditions can we continue to use the cross certificate to avoid the MS Portal, even for Windows 10? Are there any?

Thanks,
David
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

madshi wrote:I just got the new certificate today and it's SHA1. They allowed me to choose between SHA1 and SHA2 when I renewed, and for SHA2 they explicitly warned that it might not work on some older OSs. Maybe they've had enough customers complain about the lack of SHA1? I don't know. I had anticipated that getting SHA1 might be difficult, and was happy when I could easily choose it. So I took the opportunity and renewed for 3 years, so I don't have to worry about compatability with old OSs for 3 years now.

The EV certificate is needed, *if* you want to support SecureBoot, and *if* your non-EV certificate was issued/renewed after Windows 10 release date. At least that's my understanding.
Madshi, is this still your belief? My cert expires this week. I ordered a SHA-2 renewal so that I could sign my user mode stuff after January 1, 2016. But you say kernel mode stuff can still use SHA-1, even with a cert issued after the Win 10 RTM (except for SecureBoot). But I understand SecureBoot will work with SHA1 regardless on Intel x86 and x64, just not on ARM. If so, then SHA-1 can be used for kernel stuff on all Windows, including Win 10?

Thanks,
David
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

I already wrote today:

> I was not aware of SHA-1 running out on Windows 7+.

I also already wrote a long comment in this thread today, which sums up what I know or think to know. I don't really have any more information than that. I wish I had all the answers, but I don't.
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

Thanks Madshi. If you have time, could you use your SHA1-renewed-after-Win10-RTM to sign a sample driver and see if it loads in Win 10?

Although it might not work in the future: https://www.osr.com/blog/2015/07/24/que ... r-signing/
We do support a transitional policy for folks that hopefully alleviates some of the pressure. Windows 8 style kernel mode code signing will continue to work, as long as the certificate was issued prior to Windows 10 RTM (the cut off). The default state for this policy is turned on, but IT admins can choose to turn it off using a new feature in Windows 10 called configurable code integrity
Thanks,
David
alfaunits
Posts: 21
Joined: Sat Apr 09, 2011 9:41 pm

Re: Windows 10 support

Post by alfaunits »

I was not aware that XP SP3 supports SHA2, that is nice! As long as XP x64 and Vista x64 SP1 do, then there is absolutely no reason for SHA-1 now.

Anyway, I have contacted GS and DigiCert (we have both certs, two different companies). Both can issue SHA1 and SHA2 at the same time! If you need them.
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

XP SP3 and Vista only support SHA-2 for user mode. Not kernel drivers. Good to know DigiCert offers both, thank you. I have a EV SHA-2 and will ask for SHA-1.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

dcsoft wrote:Thanks Madshi. If you have time, could you use your SHA1-renewed-after-Win10-RTM to sign a sample driver and see if it loads in Win 10?
The problem is likely to be with SecureBoot, and I don't have a win10 VM with active SecureBoot atm.
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

madshi wrote:The problem is likely to be with SecureBoot, and I don't have a win10 VM with active SecureBoot atm.
I could test for you. BTW, Hyper-V in Win 8/10 Pro supports SecureBoot (UEFI), the host does not need to: https://technet.microsoft.com/en-us/lib ... 82285.aspx

Thanks,
David
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

It works - SHA-1 cert issued after the Win 10 RTM date

Post by dcsoft »

A DigiCert SHA-1 cert issued after the Win 10 RTM date works for me on Win 10 Pro x64 with SecureBoot enabled. I tested on a Windows 8.1 Hyper-V VM (Generation 2, with SecureBoot enabled). The guest OS is Windows 10 Pro x64, Version 1511 (10586.17).

SHA-1 certs (all SHA-1 certs are non-EV) will only be issued until end of December (about 3 weeks). Source: https://cabforum.org/2014/10/16/ballot- ... -1-sunset/
9.4.2 SHA-1 Validity Period
Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017. This Section 9.4.2 does not apply to Root CA or CA cross certificates. CAs MAY continue to use their existing SHA-1 Root Certificates. SHA-2 Subscriber certificates SHOULD NOT chain up to a SHA-1 Subordinate CA Certificate.
So I encourage you all to get yours now. DigiCert issued me one (and @alfaunits says GlobalSign will also), but Comodo refused. I had current SHA-2 certs from both DigiCert and Comodo, I don't know if that made a difference with DigiCert. DigiCert didn't charge me for the SHA-1 because I already had an EV SHA-2.

Thanks,
David
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

That sounds pretty good. It kind of contradicts what Microsoft has said, though, which confuses me. Does that mean we don't need those EV certificates *at all* now? If the SHA-1 certificate works now, a simple SHA-2 certificate should work, too, no?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

I'm fairly certain that as long as your SHA-1 cert was issued before Microsoft's imposed Jan 1 2016 deadline there will be no issues with anything on any OS, it's those that have certs issued after this deadline that will be forced to use SHA-2 from what I understand. Last I read CAs were "prohibited" to issue SHA-1 certs effective Jan 1 in order to participate in Microsoft's cross-signing program. I'd highly suggest getting with GlobalSign or DigiCert (Thanks DCSoft) and try to renew for 3 years if you can

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

So you think I don't have even to switch to SHA-2 (let alone EV) for 3 years? That would be most awesome, of course!
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

MS doesn't promise SHA-1 will work on Win 10 if the cert was issued after Win 10 RTM... but it does. A couple people here say it does, and David Grayson says it does. I guess MS could break it whenever they felt like though.

Madshi, you still need to use a SHA-2 cert (either EV or not) for your user mode installers after Jan 1.

Thanks,
David
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

The major question is, what will happen come January 1, 2016? I imagine it will be one of two things, these are [1] Any drivers signed before January 1, 2016 will continue to load and function normally for backwards compatibility based on their time/datestamp. [2] Best case scenario come January 1, 2016 even SHA-1 drivers signed _after_ this date will continue to load if the certificate issuing date was prior to January 1, 2016. So, will the metric for blocking be the time/datestamp of the signed file or actually the issuing date of the certificate itself, perhaps both? This article is 10 months old but covers similar questions http://www.infoworld.com/article/287907 ... ption.html
For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016. SHA1 code signing certificates that are time stamped before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.
P.S: Seems that time/datestamps are a MUST so make sure that you include the switch when signing

--Iconic
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

It's confusing, and even more because the rules for kernel mode are different than for user mode. Following your link to http://social.technet.microsoft.com/wik ... mping.aspx, the only thing I could find for code signing and January 1, 2016 is:
Code signing certificates
On Win 7 and above, blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.
But "Mark of the Web" is for user mode (things like downloading installers). I don't see anything about kernel mode here, let alone Windows 10 and EV SHA-2 certs.

The clearest explanation I have found is https://support.globalsign.com/customer ... hm-support which shows a nice table of user mode vs kernel mode vs Win OS. Except it's Windows 10 kernel mode isn't accurate, at least compared to the fact that we are seeing SHA-1 after RTM still works on Win 10.

I guess we will have to wait and see on Jan 1 what happens.

RE: "Time/datestamps are a MUST" -- this goes without saying even without this confusion. If you don't timestamp, your signature will expire when your cert expires! This is definitely not what you want. You want your signature to last forever. Which is what happens only when you timestamp.

Thanks,
David
Post Reply