Page 4 of 4

Re: Windows 10 support

Posted: Wed Dec 09, 2015 7:14 am
by iconic
Kernel mode driver signing (requiring a cross-certificate) and more common usermode authenticode signing are treated very differently. Usermode is considered "untrusted" to begin with, it's why the kernel is considered privileged level/ring 0. Microsoft knows this and it's why they've hardened security on their 64-bit OS builds requiring signed drivers, unlike their x86 brothers. Windows 10 is finally taking it a step further and for good reason, despite developers being shafted to some degree. All we can do is wait a few weeks and hope that Microsoft figures out whatever they are doing and hopefully it's not a developer's disaster especially with backwards compatibility. This wouldn't be happening at all if SHA-1 were proven to be secure from a cryptographic perspective =( Another important thing to note is that Certificate Authorities still issuing certs let alone SHA-1 to individuals are much harder to find, GlobalSign and DigiCert require organizations/companies and will not issue to single developers, in case anyone wants a personal code signing cert

--Iconic

Re: Windows 10 support

Posted: Wed Dec 09, 2015 2:43 pm
by dcsoft
This topic is discussed in great detail here: http://www.osronline.com/showthread.cfm?link=268241

Scroll to the very end:
> Just wanted to point out that there is a very helpful section in a MSFT
Hardware Dev Center document for "Code Signing FAQ", which succinctly summarizes
the code signing situation. Includes a good "OS Support Summary" table at the
end. Here is the link:
>
https://msdn.microsoft.com/en-us/librar ... gning_f aq

There's a very interesting note here that I do not recall seeing before:

*Windows 10 Earlier Certificate Transition Signing*

* A driver signed with any certificate issued after July 29th,
2015, with time stamping, is not recommended for Windows 10.
* A driver signed with any certificate that expires after July
29th, 2015, without time stamping, will work on Windows 10 until
the certificate expires.

What this SAYS is that the old driver signing scheme will continue to
work for Windows 10 forever, but you have to feel guilty for using it.
This finally matches the actual experience in the field, which is that
attestation is not actually required for Windows 10, even with a brand
new SHA1 certificate.

--
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Prior in the thread, they discuss one reason not to use SHA-1 for Windows 10: the policy to allow drivers signed by SHA-1 can be changed on Windows 10 Enterprise. The feature is called "Device Guard".

So, it seems getting a SHA-1 cert for the max time possible is the best thing to do. I hope it is still possible for individuals (in addition to companies) to do this before the end of the year. Seems GlobalSign and DigiCert will still give them, but perhaps only for companies?

Thanks,
David

Re: Windows 10 support

Posted: Mon Dec 14, 2015 3:58 pm
by dcsoft
If you are interested in using a SHA-1 certificate, the last day to purchase a new or renewed one is December 31, 2015. I've written a post here: https://dcsoft.wordpress.com/2015/12/14 ... r-31-2015/

Thanks,
David

Re: Windows 10 support

Posted: Thu Jul 05, 2018 10:51 am
by Masakazu Takahashi
I am using madcodeHook 4.0.5.
In order to load the madcodehook driver even in an environment where secure boot is effective, I am trying to register to the Windows Hardware Dev Center dashboard and receive a signature of Microsofut.
madashi:
Other users seem to have already done it, but do not you need your permission?
I will try to refer to the registration method that you are introducing if you do not mind.

Thanks
M.Takahashi

Re: Windows 10 support

Posted: Thu Jul 05, 2018 10:55 am
by madshi
Where/why would you need my permission? If you have a valid madCodeHook license (I'm sure you do), then that license grants you the right to use the driver. That includes permission to send it in to Microsoft for EV signing. No problem for me at all.

There's an "inf" file in the driver folder that may help you get going. I'm not really an expert on EV signing myself, though, because I don't have an EV certificate. The "inf" file was kindly provided by a madCodeHook user.