Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-10-01 Thread Pascal Quantin 
Hi all,

in my company we just received the following email from Symantec indicating
that the EV signing will soon be mandatory:

"On October 27, 2015, all new Kernel and User Mode driver submissions will
need to be made via the Windows Hardware Developer Center Dashboard portal
and signed by an Extended Validation (EV) code signing certificate. The EV
code signing certificate requirement is to ensure that publisher private
signing keys are stored securely on hardware tokens and organizations
undergo a comprehensive and thorough authentication process. These EV code
signing features increase the integrity of software assets that run on
Windows 10 Operating System.

Please note that these requirements are specific to the Windows 10 launch.
Drivers that were signed and running on older versions of Windows will not
require EV code signing. These drivers will pass signing checks to enable
backward compatibility.

An EV code signing certificate enables you to perform all Microsoft driver
signings regardless of which release it is, whereas a standard code signing
certificate may limit your options."

Best regards,
Pascal.

2015-08-03 10:17 GMT+02:00 Yang Luo :

>
> FYI, the result turns out to be that the old non-EV cert can be used to
> sign a driver that is used for Win10 after Win10 RTM release. I built Npcap
> 0.03 r3 today and tested it against Win10 RTM x64, and it installs
> successfully and runs well. It's a pity that I didn't buy a 3-year cert,
> but the good new is that I can still use this old one for future releases.
>
>
> Cheers,
> Yang
>
> On Wed, Jul 22, 2015 at 3:06 PM, Graham Bloice <
> graham.blo...@trihedral.com> wrote:
>
>>
>>
>> On 22 July 2015 at 07:59, Yang Luo  wrote:
>>
>>> Hi,
>>>
>>> I have found this link:
>>> https://www.osr.com/blog/2015/03/18/microsoft-signatures-required-km-drivers-windows-10/,
>>> in which it says: "*These requirements only apply to Windows 10 and
>>> later.  In fact, Microsoft plans to offer a bit of a grace period: Drivers
>>> signed before Windows 10 RTM will be able to use the older signing
>>> mechanisms.  But once Windows 10 ships, if you want your driver to run on
>>> Windows 10 desktop systems, you’ll need to (a) get an EV certificate, (b)
>>> using that signature submit your driver to sysdev to get Microsoft’s
>>> signature.*"
>>>
>>> So unfortunately, I think an EV cert has become a necessity for us to
>>> sign a driver for Win10 after Win10 RTM release date.
>>>
>>> Cheers,
>>> Yang
>>>
>>>
>>>
>> That's quite an old blog entry (March)  and from a 3rd party, although
>> OSR are a well respected company in the driver world.
>>
>>
>> --
>> Graham Bloice
>>
>>
>> ___
>> Sent via:Wireshark-dev mailing list 
>> Archives:https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>  mailto:wireshark-dev-requ...@wireshark.org
>> ?subject=unsubscribe
>>
>
>
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-08-03 Thread Yang Luo 
FYI, the result turns out to be that the old non-EV cert can be used to
sign a driver that is used for Win10 after Win10 RTM release. I built Npcap
0.03 r3 today and tested it against Win10 RTM x64, and it installs
successfully and runs well. It's a pity that I didn't buy a 3-year cert,
but the good new is that I can still use this old one for future releases.


Cheers,
Yang

On Wed, Jul 22, 2015 at 3:06 PM, Graham Bloice 
wrote:

>
>
> On 22 July 2015 at 07:59, Yang Luo  wrote:
>
>> Hi,
>>
>> I have found this link:
>> https://www.osr.com/blog/2015/03/18/microsoft-signatures-required-km-drivers-windows-10/,
>> in which it says: "*These requirements only apply to Windows 10 and
>> later.  In fact, Microsoft plans to offer a bit of a grace period: Drivers
>> signed before Windows 10 RTM will be able to use the older signing
>> mechanisms.  But once Windows 10 ships, if you want your driver to run on
>> Windows 10 desktop systems, you’ll need to (a) get an EV certificate, (b)
>> using that signature submit your driver to sysdev to get Microsoft’s
>> signature.*"
>>
>> So unfortunately, I think an EV cert has become a necessity for us to
>> sign a driver for Win10 after Win10 RTM release date.
>>
>> Cheers,
>> Yang
>>
>>
>>
> That's quite an old blog entry (March)  and from a 3rd party, although OSR
> are a well respected company in the driver world.
>
>
> --
> Graham Bloice
>
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-22 Thread Graham Bloice 
On 22 July 2015 at 07:59, Yang Luo  wrote:

> Hi,
>
> I have found this link:
> https://www.osr.com/blog/2015/03/18/microsoft-signatures-required-km-drivers-windows-10/,
> in which it says: "*These requirements only apply to Windows 10 and
> later.  In fact, Microsoft plans to offer a bit of a grace period: Drivers
> signed before Windows 10 RTM will be able to use the older signing
> mechanisms.  But once Windows 10 ships, if you want your driver to run on
> Windows 10 desktop systems, you’ll need to (a) get an EV certificate, (b)
> using that signature submit your driver to sysdev to get Microsoft’s
> signature.*"
>
> So unfortunately, I think an EV cert has become a necessity for us to sign
> a driver for Win10 after Win10 RTM release date.
>
> Cheers,
> Yang
>
>
>
That's quite an old blog entry (March)  and from a 3rd party, although OSR
are a well respected company in the driver world.


-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-22 Thread Yang Luo 
Hi,

I have found this link:
https://www.osr.com/blog/2015/03/18/microsoft-signatures-required-km-drivers-windows-10/,
in which it says: "*These requirements only apply to Windows 10 and later.
In fact, Microsoft plans to offer a bit of a grace period: Drivers signed
before Windows 10 RTM will be able to use the older signing mechanisms.
But once Windows 10 ships, if you want your driver to run on Windows 10
desktop systems, you’ll need to (a) get an EV certificate, (b) using that
signature submit your driver to sysdev to get Microsoft’s signature.*"

So unfortunately, I think an EV cert has become a necessity for us to sign
a driver for Win10 after Win10 RTM release date.

Cheers,
Yang


On Wed, Jul 22, 2015 at 12:33 AM, Gerald Combs  wrote:

> On 7/21/15 3:40 AM, Graham Bloice wrote:
> >
> >
> > On 21 July 2015 at 11:25, Pascal Quantin  > > wrote:
> >
> >
> > Le 21 juil. 2015 11:38 AM, "Graham Bloice" <
> graham.blo...@trihedral.com
> > > a écrit :
> > >
> > >
> > >
> > > On 21 July 2015 at 07:06, Pascal Quantin  > wrote:
> > >>
> > >>
> > >> Le 21 juil. 2015 4:15 AM, "Yang Luo"  hslu...@gmail.com>> a écrit :
> > >> >
> > >> > Hi list,
> > >> >
> > >> > There's only 8 days left for Win10 RTM. It seems that both
> WinPcap and Npcap need to decide which kind of Windows driver signing
> certificate to buy. There are two kinds of certs: EV cert and non-EV cert.
> > >> >
> > >> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert
> is complicated to use (has to use a hardware key) and much more expensive.
> You should have found out that current Npcap driver CAN be successfully
> installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
> for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
> turns out to be: "To ensure backwards compatibility, drivers which are
> properly signed by a valid cross-signing certificate that was issued before
> the release of Windows 10 will continue to pass signing checks on Windows
> 10." (see for details:
> http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx
> ).
> > My English is not that good, but I think this sentence means that if
> > you buy a non-EV cert before Win10 release (AKA 2015/7/29), you can
> use
> > the cert to sign a driver to any platform including Win10 until it
> > expires. So you can just buy a 3-year long cert before 7/29 and use
> it
> > to sign any drivers for these 3 years. 3 years later, we have no
> other
> > choice but to buy an EV cert, but who knows whether Microsoft would
> > change its driver signing policy again then?
> > >> >
> > >> > Am I understanding it right?
> > >> >
> > >>
> > >> Hi Yang,
> > >>
> > >> That's not my understanding. What matters here is the driver
> signing timestamp, and not the expiry date of your certificate.
> > >> You have 3 cases:
> > >> - a driver signed with a timestamp prior to the 29th of July will
> still load for backward compatibility (same rules as previous Windows
> versions)
> > >> - for drivers with a signature timestamp from the 29th of July or
> later, you need to upload your signed driver on Microsoft portal to get a
> counter signature that will allow to install it on Windows 10
> > >> - 90 days after the 29th of July, the portal will not accept
> anymore drivers not signed with an EV certificate
> > >>
> > >> So as you see the grace period will be short and you cannot
> escape from the purchase of an EV certificate (unless you hurry up to
> Polish your driver before the deadline;)). Even the counter signature step
> seems a bit painful (I have not tried it myself yet).
> > >>
> > >> Pascal.
> > >
> > > I agree the intentions are not clear.  The statement "To ensure
> backwards compatibility, drivers which are properly signed by a valid
> cross-signing certificate that was issued before the release of Windows 10
> will continue to pass signing checks on Windows 10." implies to me that
> it's the date of the cross-signing certificate that counts.
> > >
> > > IMHO if it was the driver signing date, then the sentence should
> have read "... drivers which are properly signed by a valid cross-signing
> certificate that were signed before ..."
> > >
> > > Currently, when signing kernel-mode drivers you currently have to
> use the MS cross-signing appropriate to the issuer of your SPC.  I checked
> the one we use in the day job, it was issued Feb 22 2011 and it's valid
> until Feb 22 2021.  Of course MS may revoke that cert, but then existing
> signed drivers for Windows < 10 will also fail.
> > >
> > > I'll try to get some clarity on this.
> > >
> >
> > If this is the case it would be very good news, but in th

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-21 Thread Gerald Combs 
On 7/21/15 3:40 AM, Graham Bloice wrote:
> 
> 
> On 21 July 2015 at 11:25, Pascal Quantin  > wrote:
> 
> 
> Le 21 juil. 2015 11:38 AM, "Graham Bloice"  > a écrit :
> >
> >
> >
> > On 21 July 2015 at 07:06, Pascal Quantin  > wrote:
> >>
> >>
> >> Le 21 juil. 2015 4:15 AM, "Yang Luo"  > a écrit :
> >> >
> >> > Hi list,
> >> >
> >> > There's only 8 days left for Win10 RTM. It seems that both WinPcap 
> and Npcap need to decide which kind of Windows driver signing certificate to 
> buy. There are two kinds of certs: EV cert and non-EV cert.
> >> >
> >> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is 
> complicated to use (has to use a hardware key) and much more expensive. You 
> should have found out that current Npcap driver CAN be successfully installed 
> into Windows 10 Insider Preview 10240 x64 ( which is a candidate for Win10 
> RTM) WITHOUT disabling "Driver Signature Enforcement". The reason turns out 
> to be: "To ensure backwards compatibility, drivers which are properly signed 
> by a valid cross-signing certificate that was issued before the release of 
> Windows 10 will continue to pass signing checks on Windows 10." (see for 
> details: 
> http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
> My English is not that good, but I think this sentence means that if
> you buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use
> the cert to sign a driver to any platform including Win10 until it
> expires. So you can just buy a 3-year long cert before 7/29 and use it
> to sign any drivers for these 3 years. 3 years later, we have no other
> choice but to buy an EV cert, but who knows whether Microsoft would
> change its driver signing policy again then?
> >> >
> >> > Am I understanding it right?
> >> >
> >>
> >> Hi Yang,
> >>
> >> That's not my understanding. What matters here is the driver signing 
> timestamp, and not the expiry date of your certificate.
> >> You have 3 cases:
> >> - a driver signed with a timestamp prior to the 29th of July will 
> still load for backward compatibility (same rules as previous Windows 
> versions) 
> >> - for drivers with a signature timestamp from the 29th of July or 
> later, you need to upload your signed driver on Microsoft portal to get a 
> counter signature that will allow to install it on Windows 10
> >> - 90 days after the 29th of July, the portal will not accept anymore 
> drivers not signed with an EV certificate
> >>
> >> So as you see the grace period will be short and you cannot escape 
> from the purchase of an EV certificate (unless you hurry up to Polish your 
> driver before the deadline;)). Even the counter signature step seems a bit 
> painful (I have not tried it myself yet).
> >>
> >> Pascal. 
> >
> > I agree the intentions are not clear.  The statement "To ensure 
> backwards compatibility, drivers which are properly signed by a valid 
> cross-signing certificate that was issued before the release of Windows 10 
> will continue to pass signing checks on Windows 10." implies to me that it's 
> the date of the cross-signing certificate that counts.
> >
> > IMHO if it was the driver signing date, then the sentence should have 
> read "... drivers which are properly signed by a valid cross-signing 
> certificate that were signed before ..."
> >
> > Currently, when signing kernel-mode drivers you currently have to use 
> the MS cross-signing appropriate to the issuer of your SPC.  I checked the 
> one we use in the day job, it was issued Feb 22 2011 and it's valid until Feb 
> 22 2021.  Of course MS may revoke that cert, but then existing signed drivers 
> for Windows < 10 will also fail.
> >
> > I'll try to get some clarity on this.
> >
> 
> If this is the case it would be very good news, but in that case I do
> not understand the 90 days deadline for the driver submission without
> EV signing on Microsoft portal.
> Anyway we will get the answer very soon :)
> 
> 
> 
> Maybe they expect a big rush of driver signing requests with the release of
> Win 10, and know that the EV requirement will take time to get in place.

That might be the case. Yesterday I started the process of obtaining an EV
certificate for the Wireshark Foundation. The order status page currently says

"DigiCert has verified the organization details listed above, and we are
ready to issue your certificate as soon as the other validation
requirements are taken care of."

Hopefully "other validation requirements" doesn't translate to "a four
month backlog which suddenly appeared due to a major operating system release."

In the mean time our regular (lightly-valida

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-21 Thread Graham Bloice 
On 21 July 2015 at 11:25, Pascal Quantin  wrote:

>
> Le 21 juil. 2015 11:38 AM, "Graham Bloice" 
> a écrit :
> >
> >
> >
> > On 21 July 2015 at 07:06, Pascal Quantin 
> wrote:
> >>
> >>
> >> Le 21 juil. 2015 4:15 AM, "Yang Luo"  a écrit :
> >> >
> >> > Hi list,
> >> >
> >> > There's only 8 days left for Win10 RTM. It seems that both WinPcap
> and Npcap need to decide which kind of Windows driver signing certificate
> to buy. There are two kinds of certs: EV cert and non-EV cert.
> >> >
> >> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
> complicated to use (has to use a hardware key) and much more expensive. You
> should have found out that current Npcap driver CAN be successfully
> installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
> for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
> turns out to be: "To ensure backwards compatibility, drivers which are
> properly signed by a valid cross-signing certificate that was issued before
> the release of Windows 10 will continue to pass signing checks on Windows
> 10." (see for details:
> http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
> My English is not that good, but I think this sentence means that if you
> buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
> cert to sign a driver to any platform including Win10 until it expires. So
> you can just buy a 3-year long cert before 7/29 and use it to sign any
> drivers for these 3 years. 3 years later, we have no other choice but to
> buy an EV cert, but who knows whether Microsoft would change its driver
> signing policy again then?
> >> >
> >> > Am I understanding it right?
> >> >
> >>
> >> Hi Yang,
> >>
> >> That's not my understanding. What matters here is the driver signing
> timestamp, and not the expiry date of your certificate.
> >> You have 3 cases:
> >> - a driver signed with a timestamp prior to the 29th of July will still
> load for backward compatibility (same rules as previous Windows versions)
> >> - for drivers with a signature timestamp from the 29th of July or
> later, you need to upload your signed driver on Microsoft portal to get a
> counter signature that will allow to install it on Windows 10
> >> - 90 days after the 29th of July, the portal will not accept anymore
> drivers not signed with an EV certificate
> >>
> >> So as you see the grace period will be short and you cannot escape from
> the purchase of an EV certificate (unless you hurry up to Polish your
> driver before the deadline;)). Even the counter signature step seems a bit
> painful (I have not tried it myself yet).
> >>
> >> Pascal.
> >
> > I agree the intentions are not clear.  The statement "To ensure
> backwards compatibility, drivers which are properly signed by a valid
> cross-signing certificate that was issued before the release of Windows 10
> will continue to pass signing checks on Windows 10." implies to me that
> it's the date of the cross-signing certificate that counts.
> >
> > IMHO if it was the driver signing date, then the sentence should have
> read "... drivers which are properly signed by a valid cross-signing
> certificate that were signed before ..."
> >
> > Currently, when signing kernel-mode drivers you currently have to use
> the MS cross-signing appropriate to the issuer of your SPC.  I checked the
> one we use in the day job, it was issued Feb 22 2011 and it's valid until
> Feb 22 2021.  Of course MS may revoke that cert, but then existing signed
> drivers for Windows < 10 will also fail.
> >
> > I'll try to get some clarity on this.
> >
>
> If this is the case it would be very good news, but in that case I do not
> understand the 90 days deadline for the driver submission without EV
> signing on Microsoft portal.
> Anyway we will get the answer very soon :)
>
>
Maybe they expect a big rush of driver signing requests with the release of
Win 10, and know that the EV requirement will take time to get in place.

-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-21 Thread Pascal Quantin 
Le 21 juil. 2015 11:38 AM, "Graham Bloice"  a
écrit :
>
>
>
> On 21 July 2015 at 07:06, Pascal Quantin  wrote:
>>
>>
>> Le 21 juil. 2015 4:15 AM, "Yang Luo"  a écrit :
>> >
>> > Hi list,
>> >
>> > There's only 8 days left for Win10 RTM. It seems that both WinPcap and
Npcap need to decide which kind of Windows driver signing certificate to
buy. There are two kinds of certs: EV cert and non-EV cert.
>> >
>> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
complicated to use (has to use a hardware key) and much more expensive. You
should have found out that current Npcap driver CAN be successfully
installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
turns out to be: "To ensure backwards compatibility, drivers which are
properly signed by a valid cross-signing certificate that was issued before
the release of Windows 10 will continue to pass signing checks on Windows
10." (see for details:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
My English is not that good, but I think this sentence means that if you
buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
cert to sign a driver to any platform including Win10 until it expires. So
you can just buy a 3-year long cert before 7/29 and use it to sign any
drivers for these 3 years. 3 years later, we have no other choice but to
buy an EV cert, but who knows whether Microsoft would change its driver
signing policy again then?
>> >
>> > Am I understanding it right?
>> >
>>
>> Hi Yang,
>>
>> That's not my understanding. What matters here is the driver signing
timestamp, and not the expiry date of your certificate.
>> You have 3 cases:
>> - a driver signed with a timestamp prior to the 29th of July will still
load for backward compatibility (same rules as previous Windows versions)
>> - for drivers with a signature timestamp from the 29th of July or later,
you need to upload your signed driver on Microsoft portal to get a counter
signature that will allow to install it on Windows 10
>> - 90 days after the 29th of July, the portal will not accept anymore
drivers not signed with an EV certificate
>>
>> So as you see the grace period will be short and you cannot escape from
the purchase of an EV certificate (unless you hurry up to Polish your
driver before the deadline;)). Even the counter signature step seems a bit
painful (I have not tried it myself yet).
>>
>> Pascal.
>
> I agree the intentions are not clear.  The statement "To ensure backwards
compatibility, drivers which are properly signed by a valid cross-signing
certificate that was issued before the release of Windows 10 will continue
to pass signing checks on Windows 10." implies to me that it's the date of
the cross-signing certificate that counts.
>
> IMHO if it was the driver signing date, then the sentence should have
read "... drivers which are properly signed by a valid cross-signing
certificate that were signed before ..."
>
> Currently, when signing kernel-mode drivers you currently have to use the
MS cross-signing appropriate to the issuer of your SPC.  I checked the one
we use in the day job, it was issued Feb 22 2011 and it's valid until Feb
22 2021.  Of course MS may revoke that cert, but then existing signed
drivers for Windows < 10 will also fail.
>
> I'll try to get some clarity on this.
>

If this is the case it would be very good news, but in that case I do not
understand the 90 days deadline for the driver submission without EV
signing on Microsoft portal.
Anyway we will get the answer very soon :)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-21 Thread Graham Bloice 
On 21 July 2015 at 07:06, Pascal Quantin  wrote:

>
> Le 21 juil. 2015 4:15 AM, "Yang Luo"  a écrit :
> >
> > Hi list,
> >
> > There's only 8 days left for Win10 RTM. It seems that both WinPcap and
> Npcap need to decide which kind of Windows driver signing certificate to
> buy. There are two kinds of certs: EV cert and non-EV cert.
> >
> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
> complicated to use (has to use a hardware key) and much more expensive. You
> should have found out that current Npcap driver CAN be successfully
> installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
> for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
> turns out to be: "To ensure backwards compatibility, drivers which are
> properly signed by a valid cross-signing certificate that was issued before
> the release of Windows 10 will continue to pass signing checks on Windows
> 10." (see for details:
> http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
> My English is not that good, but I think this sentence means that if you
> buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
> cert to sign a driver to any platform including Win10 until it expires. So
> you can just buy a 3-year long cert before 7/29 and use it to sign any
> drivers for these 3 years. 3 years later, we have no other choice but to
> buy an EV cert, but who knows whether Microsoft would change its driver
> signing policy again then?
> >
> > Am I understanding it right?
> >
>
> Hi Yang,
>
> That's not my understanding. What matters here is the driver signing
> timestamp, and not the expiry date of your certificate.
> You have 3 cases:
> - a driver signed with a timestamp prior to the 29th of July will still
> load for backward compatibility (same rules as previous Windows versions)
> - for drivers with a signature timestamp from the 29th of July or later,
> you need to upload your signed driver on Microsoft portal to get a counter
> signature that will allow to install it on Windows 10
> - 90 days after the 29th of July, the portal will not accept anymore
> drivers not signed with an EV certificate
>
> So as you see the grace period will be short and you cannot escape from
> the purchase of an EV certificate (unless you hurry up to Polish your
> driver before the deadline;)). Even the counter signature step seems a bit
> painful (I have not tried it myself yet).
>
> Pascal.
>
I agree the intentions are not clear.  The statement "*To ensure backwards
compatibility, drivers which are properly signed by a valid cross-signing
certificate that was issued before the release of Windows 10 will continue
to pass signing checks on Windows 10.*" implies to me that it's the date of
the cross-signing certificate that counts.

IMHO if it was the driver signing date, then the sentence should have
read "*...
drivers which are properly signed by a valid cross-signing certificate that
were signed before ...*"

Currently, when signing kernel-mode drivers you currently have to use the
MS cross-signing appropriate to the issuer of your SPC.  I checked the one
we use in the day job, it was issued Feb 22 2011 and it's valid until Feb
22 2021.  Of course MS may revoke that cert, but then existing signed
drivers for Windows < 10 will also fail.

I'll try to get some clarity on this.

-- 
Graham Bloice
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-20 Thread Pascal Quantin 
Le 21 juil. 2015 4:15 AM, "Yang Luo"  a écrit :
>
> Hi list,
>
> There's only 8 days left for Win10 RTM. It seems that both WinPcap and
Npcap need to decide which kind of Windows driver signing certificate to
buy. There are two kinds of certs: EV cert and non-EV cert.
>
> AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
complicated to use (has to use a hardware key) and much more expensive. You
should have found out that current Npcap driver CAN be successfully
installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
turns out to be: "To ensure backwards compatibility, drivers which are
properly signed by a valid cross-signing certificate that was issued before
the release of Windows 10 will continue to pass signing checks on Windows
10." (see for details:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
My English is not that good, but I think this sentence means that if you
buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
cert to sign a driver to any platform including Win10 until it expires. So
you can just buy a 3-year long cert before 7/29 and use it to sign any
drivers for these 3 years. 3 years later, we have no other choice but to
buy an EV cert, but who knows whether Microsoft would change its driver
signing policy again then?
>
> Am I understanding it right?
>

Hi Yang,

That's not my understanding. What matters here is the driver signing
timestamp, and not the expiry date of your certificate.
You have 3 cases:
- a driver signed with a timestamp prior to the 29th of July will still
load for backward compatibility (same rules as previous Windows versions)
- for drivers with a signature timestamp from the 29th of July or later,
you need to upload your signed driver on Microsoft portal to get a counter
signature that will allow to install it on Windows 10
- 90 days after the 29th of July, the portal will not accept anymore
drivers not signed with an EV certificate

So as you see the grace period will be short and you cannot escape from the
purchase of an EV certificate (unless you hurry up to Polish your driver
before the deadline;)). Even the counter signature step seems a bit painful
(I have not tried it myself yet).

Pascal.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap and Npcap

2015-07-20 Thread Yang Luo 
Hi list,

There's only 8 days left for Win10 RTM. It seems that both WinPcap and
Npcap need to decide which kind of Windows driver signing certificate to
buy. There are two kinds of certs: EV cert and non-EV cert.

AFAIK, I think we don't need to buy an EV cert yet, as EV cert is
complicated to use (has to use a hardware key) and much more expensive. You
should have found out that current Npcap driver CAN be successfully
installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate
for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason
turns out to be: "To ensure backwards compatibility, drivers which are
properly signed by a valid cross-signing certificate that was issued before
the release of Windows 10 will continue to pass signing checks on Windows
10." (see for details:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx).
My English is not that good, but I think this sentence means that if you
buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the
cert to sign a driver to any platform including Win10 until it expires. So
you can just buy a 3-year long cert before 7/29 and use it to sign any
drivers for these 3 years. 3 years later, we have no other choice but to
buy an EV cert, but who knows whether Microsoft would change its driver
signing policy again then?

Am I understanding it right?



Cheers,
Yang
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe