Windows 10 support

c++ / delphi package - dll injection and api hooking
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

I've got a reply from the mentioned madCodeHook user, but sadly I think he's in vacation from today for nearly a full month, so we won't get any further replies. Here's what he said:

1) We need to register here:

https://sysdev.microsoft.com/de-DE/Hardware/member/

We need to create a company account, and for that we need a class 3 code signing certificate.

2) Then we need to go here:

https://sysdev.microsoft.com/de-DE/Hard ... quest.aspx

And then digitally sign all those 12 documents.

3) Then fill out this form:
form.png
form.png (24.78 KiB) Viewed 26197 times
4) We need to use the MS "makecab" tool which contains a number of files, namely our driver files, an inf file and two cat files. That cat files can be created with "makecat". The inf file is just a transport method to tell Microsoft which drivers are supposed to be signed. Attached you'll find a dummy inf file which should serve that purpose. Of course you need to adjust it to match your driver file names etc.

Done. You should receive a zip with the signed cat and sys files from Microsoft. It seems the sys file has both your own code signing certificate in it, and the Microsoft certificate. So I suppose the sys file might work for older OSs, too. But I can't really test this myself, cause I don't have an EV certificate to play with.
Attachments
YourDriver.zip
(1.29 KiB) Downloaded 562 times
alfaunits
Posts: 21
Joined: Sat Apr 09, 2011 9:41 pm

Re: Windows 10 support

Post by alfaunits »

This is an FYI, as I am testing on Windows 10 only now.
I use signtool to sign the madCodeHook drivers with an SHA2 NON-EV certificate, and the drivers load on Windows 10 x64. This is exactly how they were signed before.

This also works for Windows 7 x64 (which enforces driver signing), as there is an update to enable SHA2 support. The only OSes this will be an issue for are x64 XP, 2003 and Vista, since they do not support SHA2. A signature with SHA1 certificate alongside the SHA2 cert will work, but only as long as your SHA1 cert is valid, and no new ones will be issued any more.
The good thing is that the above x64 OSes are hardly used, apart from 2003 x64 server.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

If you owned a cert, even SHA-1, before Windows 10 was released (grace period was 3 months from release), you do not need an EV cert to sign or have MS dashboard approval. For anyone else that missed the boat, then that is a different story. Regardless, SHA-1 is to be phased out effective Jan 1st, 2016 and that means only SHA-2 will be recognized from here on out. Windows 10 only requires added steps for the signing of drivers since they've hardened the OS security. The truth is, this has little to do with developers and everything to do with Microsoft realizing any person can write malware, even with a cert from a "trusted" CA.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

Unfortunately my certificate ran out too late (last week), and GlobalSign didn't allow me to renew it before it ran out, so basically I've missed the boat. I've renewed the certificate now, for 3 years, so that at least I have SHA1 support for those 3 years. But due to the renewal being too late, my certificate won't be accepted by Windows 10, when SecureBoot is enabled. So I suppose, I will now need an EV certificate, too. <sigh>
alfaunits
Posts: 21
Joined: Sat Apr 09, 2011 9:41 pm

Re: Windows 10 support

Post by alfaunits »

Technically, we'll need it, won't we?

And how did you get an SHA1 certificate from GS this late? They only allowed SHA2 when I renewed during summer.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

I just got the new certificate today and it's SHA1. They allowed me to choose between SHA1 and SHA2 when I renewed, and for SHA2 they explicitly warned that it might not work on some older OSs. Maybe they've had enough customers complain about the lack of SHA1? I don't know. I had anticipated that getting SHA1 might be difficult, and was happy when I could easily choose it. So I took the opportunity and renewed for 3 years, so I don't have to worry about compatability with old OSs for 3 years now.

The EV certificate is needed, *if* you want to support SecureBoot, and *if* your non-EV certificate was issued/renewed after Windows 10 release date. At least that's my understanding.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

Madshi is exactly right with what he said. GlobalSign is one of the only CA's left that will still allow for SHA-1, luckily. I had used them for years until they stopped issuing certs for individual signers, they only support companies now. Last December I ended up going to Comodo through k-software and only $99 USD later I was issued a SHA-1 cert that expires on 12/31/2015. Most CA's are aware of the SHA-1 phaseout and because of that 90% of CA's will force SHA-2 on you. My advice is to stick with GlobalSign if you can, at least they understand from the developer's perspective

--Iconic
alfaunits
Posts: 21
Joined: Sat Apr 09, 2011 9:41 pm

Re: Windows 10 support

Post by alfaunits »

I talked to them today, and indeed they can issue an SHA1 cert for us alongside the SHA2 that we have!
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

I am very confused about the changes to code signing! Not only for Madshi's kernel drivers, but for my user-mode exe's as well!

1. Madshi kernel driving - K Software http://certhelp.ksoftware.net/support/s ... ver-files- (a Comodo reseller) says
As of late August 2013, all valid (not expired, not revoked) Comodo Code Signing Certificates can be used for Kernel-Mode Code Signing! (For Windows Vista and greater)
I had not known that an Authenticode certificate could ever be used to sign kernel drivers! But does this apply for Windows 10?

2. Madshi Kernel driving EV2 Cert - From the posts in this thread, apparently we do not need an EV2 (certificate is only on a USB dongle) for Win 10? But if we want to support "SecureBoot", then we do? I understand SecureBoot is to boot only from an encrypted hard drive and not from e.g. a USB stick? Since we have no control over our customer's systems and whether they have SecureBoot, I would think we would need to support that.

3. Win 10 MS signing and previous Windows - Does the new Windows 10 method of submitting drivers to the MS portal also certify them for previous Windows? If not, can we perform additional signings to certify them on previous Windows? Or do we need a separate package for our users to install our software on previous Windows, and another for Windows 10?

4. User Mode Exe signing - Starting next month -- January 1, 2016 -- SHA-1 won’t work on Win 7+ for files downloaded from the web: http://social.technet.microsoft.com/wik ... mping.aspx
On Win 7 and above,

Code: Select all

 blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for [b]Mark of the Web files[/b].  [i]I don't know exactly what these are.[/i]
CAs should issue new code signing certs with SHA-1 after 1/1/2016 only for developers targeting Vista/2008, otherwise, move all new certs to SHA2[/quote]  [i]It sounds like SHA-2 is an easy choice.[/i]

5.  But Windows 7 doesn’t support SHA-2 out of the box, it requires an update from March, 2015:  [url]https://technet.microsoft.com/en-us/library/security/3033929.aspx?f=255&MSPPError=-2147217396[/url].  SHA-2 isn’t supported at all in Vista and XP.  The first link tells how to use both a SHA-1 and SHA-2 certificates to dual sign a .exe.  [i]Does that means we need to buy 2 certificates[/i]?


I am sure we are all struggling with signing both kernel and user mode with these changes.  How are you folks handling this?  

Thanks,
David
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

The only difference between authenticode code signing certificates which can sign drivers and those that can't is whether there's a cross certificate available which matches your certificate provider. So it seems that there is now a Comodo cross certificate available.

I've no real knowledge about SecureBoot. But yes, if you want to support SecureBoot, you need EV, I believe - unless your old certificate was renewed before Windows 10 release date, in that case it stays valid for SecureBoot, too, until it runs out. For more information about SecureBoot please use google.

From what I've heard you can sign a PE file multiple times. So I suppose the way to go is to sign with all the certificates that are necessary to support all OSs. I'm not sure if EV signed files are compatible with anything older than Windows 10.

This is all a very big mess, and Microsoft is responsible for that. Shame on them.

I was not aware of SHA-1 running out on Windows 7+. Guess I'll have to contact GlobalSign and ask them whether I can get SHA-2 in addition to SHA-1 to support all OSs.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

So it seems that there is now a Comodo cross certificate available.
Comodo has allowed for cross-signing drivers since August 2013. It's why I bought a certificate capable of signing all binaries (including drivers) from them last year and only spent $95 USD for a single developer (k-software is an official partner that sells them cheap). Like most of you on this thread have said, this is a big mess and something so simple is now added complexity, more money and in some cases the need to distribute the same binary with different signatures

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

iconic wrote:in some cases the need to distribute the same binary with different signatures
But only one file, right? I've heard that you can sign the same file multiple times and all signatures stay valid. Haven't really tested it myself yet, though.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Post by iconic »

Yes, it's possible to sign a single file multiple times and have it work on older and newer operating systems

--Iconic
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Re: Windows 10 support

Post by dcsoft »

1. Is Universal installer possible? -- If, for Windows 10, we need to submit to the MS portal to get drivers that work, I don't think anyone has verified these also work on previous Windows. If not, then it seems we would need to distribute a separate Windows 10 installer, and another installer for previous Windows versions (with drivers signed with conventional cross certificate).

2. Avoiding portal -- I believe some of you have reported getting a SHA1 (@madshi) and non-EV SHA-2 (@alfaunits) certificate even after Windows 10 was released, and signing with the conventional cross certificate, and it worked for all Windows (including Windows 10). I think the following article says the reason this works is that Windows 10 uses the expiration date of the cross signing cert (and not the issue date of your cert) to determine whether it will work: http://www.davidegrayson.com/signing/

3. SHA-2 works even in previous Windows - the same davidegrayson article says to specify SHA-1 [/fd sha1 in signtool] even with a SHA-2 certificate to avoid incompatibility. He says it works in Vista, but hasn't checked with XP. K-Software Tech Support, whom I opened a support question with yesterday, also says they have used their SHA256 cert way back for Windows XP SP3. However, if this is the case, I don't really understand why MS pushed the Windows 7 SHA-2 Update in March, 2015. Or why MS recommends dual-signing for Vista (and presumably XP except they don't mention non-supported XP anymore) if they support SHA-2.

4. SecureBoot - SHA-2 is not required for SecureBoot on Intel processors, only ARM processors: https://msdn.microsoft.com/en-us/librar ... 2147217396. So unless Madshi plans to have an ARM version of MadCodeHook, SHA-2 is not required for SecureBoot. But it seems it will be required for everything in January. :sorry:

Thanks,
David
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 support

Post by madshi »

Re: Universal installer: Simply sign it yourself with a conventional certificate before sending it to Microsoft. No need to distribute a separate win10 installer.
Post Reply