Submit executable for signing about btrfs HOT 38 CLOSED

I can get it attestation signed and volunteer to do so (once it is stable). I don't have an old certificate, so it won't work on Vista x64.

from btrfs.

Thanks for your help everybody, I now have a signed driver which works. I'll release a signed version in the next few days.

To summarize, for anybody reaching this page via Google and as confused as I was:

• You only need a code-signing certificate, not - contrary to what certain companies might say - a more expensive EV certificate.
• An EV certificate is only required on the latest versions of Windows 10, but you can get round this by disabling Secure Boot
• Even if you have an EV certificate, you don't (contrary to what Microsoft say) need to go through WHQL to get it to work (according a thread on Dokan's pages, anyway)
• WHQL apparently rejects out-of-hand any driver released under an open-source licence (because they can)
• You are unlikely to be able to get an EV certificate unless you have a company
• If you are writing open-source drivers, the best place to get a certificate is Certum. Expect to pay roughly €100 for a card reader, and €30 a year for the certificate.
• You need to sign both your sys file and your cat file. Your cat file is created from your inf file by the Microsoft tool inf2cat. There's a good but wordy guide at http://www.davidegrayson.com/signing/.

from btrfs.

Hello, now that the driver has hit "stable", would it be possible to sign it with Microsoft approved certificate somehow ?

from btrfs.

Thanks Martin, I might take you up on that offer. The driver doesn't work on Vista anyway!

from btrfs.

@maharmstone:
I have no experience with GoDaddy, so I cannot tell which of their certificates are suitable for driver signing and which are not. CAs I have experience with (Symantec, COMODO, Certum) offer two types of code signing certs:

• Standard Code Signing - until Windows 10 Anniversary Update, drivers signed by these certs run "everywhere". The good thing about them is that some CAs (like Certum) offer them to individuals (who pass the identity verification process). You just sign your driver using SignTool (better to do both SHA-1 and SHA256 signing), there is no need to send it to Microsoft.

• EV Code Signing - available only for companies (and the verification process is probably tougher than in case of individuals. But I have no practical information since I own no company :-) ). The attestation signing is required for the signatures to work on W10 with Secure Boot.

As for the Secure Boot and driver signing, there were some posts related to it on OSR Online mailing lists. I will cite the important one here:
--BEGIN---CITATION---
Any time the conversation turns to driver signing, my head hurts.

I spend half my time on this topic telling people "No, no... it really is straight forward" and I spend the OTHER half of my time on this topic telling DIFFERENT people "No, no... it's not nearly as simple as you think."

I had a conversation with a very senior (and helpful) PM type at MSFT recently, who made it all very simple:

 1. All x64 kernel-mode modules needs to be signed
 2. The necessary signing is "sign and cross-sign"
 3. EXCEPT if Secure Boot is enabled, THEN the signing needs to be by MSFT.

That IS simple. And that IS correct. And that IS enough for at least 75% of the people who author kernel modules.

It just doesn't account for (a) the details, (b) the exceptions.
---END-CITATION---

It is ture that there is quite a confusion around the driver signing and this topic appears quite often on OSR.

BTW the mailing lists are REALLY good sources of information, I strongly recommend to substcribe and search them (available on the web) when you run into a trouble.

BTW2: If you wish to play with a driver signed with the Standard Code Signing cert, you may try my IRPMon (https://github.com/MartinDrab/IRPMon). The 0.8 release is signed (all binaries, not only the drivers). It loads well for me on WIndows 8.1 x64 and I think I did some tests on Windows 10 with no Secure Boot too. I signed the binaries with my recent Certum cert. I can publish my signing cript for the IRPMon for an inspiration.

from btrfs.

I purchased my own EV cert for WinFsp from DigiCert. The process was very smooth and fast. I think the cost was a bit less than $500 as they were running a promotion at the time. The certificate came in a USB hardware token that I have to use when I sign. I purchased the certificate through my company and not as an individual.

I strongly recommend DigiCert based on my experience.

[The following is from memory so it may not be entirely accurate.]

The EV cert is necessary in order to get an account with Microsoft's hardware dev portal (formerly sysdev). This is unfortunately required if you want your driver to run on Win10.

Different versions of Windows have different driver signature requirements:

• Up to Win10 (and prior to the "anniversary update") signing your driver with your certificate was all that was necessary. For this reason I always sign my driver with my EV cert.

• From Win10 "anniversary update" onwards a Microsoft signature is required. For this purpose you must submit the signed driver to the hardware dev portal for "attestation" signing. Microsoft adds its own signature to the driver and now the driver can run on all versions of Windows up to and including Win10 "anniversary update". This does not include Win Server 2016 though :-\

• For Win Server 2016 you must also install the Windows Hardware Lab Kit and run some tests on your driver on a Win Server 2016 system. Luckily you do not need to pass all file system tests (which would be practically impossible), but you do have to pass some hypervisor tests, etc. The Hardware Lab Kit will produce a result file that you can then sign with your EV cert and submit to the hardware dev portal together with your driver. This will add another signature to your driver, which now lets it run on Server 2016!

As you can see releasing a driver for Windows is a major PITA. In the WinFsp case I only do "attestation" signing for beta releases and do the full on server signing process for major releases only (and it still takes me a good few hours -- that is assuming that Microsoft has not changed/broken the process again).

Maybe the guys who release kProcessHacker would be willing to sign the driver? It's worth asking around at a few of the open source projects that release drivers, for example, process hacker, dokan, and WinFSP.

I assume that the CA would probably frown upon such use of its certificates. IANAL but I also assume that there are legal implications associated with the process of signing a binary.

So although my first instinct is to help, I think that the best solution is for this project to try to acquire its own certificate.

from btrfs.

It's prohibitively expensive, as I gather - I think it's somewhere in the region of a thousand dollars or so. I think it would be better, once the driver is finished, to try and find someone who has a key already who wouldn't mind signing it for me.

from btrfs.

@maharmstone Maybe the dokany people might hook you up with the people signing their FUSE driver. Seems like there would be some audience overlap between your project and theirs, so possibly the people signing their driver would be interested in also signing yours.

Also, made a hail mary pass and asked a senior PM (in charge of console and LXSS) at MSFT on Twitter if he could hook you up. It's unlikely, I guess, but talking to an actual developer/manager at MSFT might get you more traction vs the sales team.

from btrfs.

ReactOS has a signing key. Or at least they had, apparently their certificate expired. But maybe they'll renew it sometime, I think it'd be worth getting in touch with them.

They might do another Kickstarter or something if there's enough demand from other projects.

from btrfs.

fpqc - Thanks for the hint, I'll have a look into it.

darkstar - I've already talked to ReactOS, and yes, their certificate has expired. Unfortunately.

from btrfs.

You might want to look into StartSSL's class2 offers. I might get a class2 verification in the near future which which qualifies for a code signing certificate. If that would help contact me.

from btrfs.

@pschichtel This is kernel mode signature enforcement. You need to either have a highly trusted key or have the driver signed by Microsoft. The sig doesn't attest to identity. It certifies it as not being a rootkit. I think MS is actually only grandfathering in certain old keys, but soon they will only allow MS-signed drivers.

from btrfs.

@fpqc thanks for the info, I was not aware of that.

from btrfs.

@maharmstone You might want to ask the guys who make process hacker too. They also have a kernelmode driver they can install for kprocesshacker. Don't know if they have their own key or if they use someone else's, but they might be able to get you in touch with someone.

from btrfs.

@uroni That's very generous of you. Thanks! (from a user).

from btrfs.

So anyway, why not make a donate button? What users donated may can't afford the cost of the key, but should be helpful to you.
By the way, I am a Chinese user, so if you want make a donate button, adding an Alipay donate button may be good.

from btrfs.

Okay, you persuaded me :-) I've added a donations section to the readme. I'm not sure what the URL is for an Alipay donation, as their website isn't very friendly for non-Chinese-speakers, but my account there is [email protected].

from btrfs.

@maharmstone It since that your Alipay account is disabled "find me by email" in "privacy setting", so I can't find you at Alipay. Evil Alipay...
Alright, Paypal is good enough, even if I can't use it. (becouse I do not have credit card. Very sorry.)

from btrfs.

Alipay is not friendly for non-Chinese user, not only for website, but anything. So... Just forget Alipay..._

from btrfs.

Well, I did actually try to buy a certificate from GoDaddy... only to have them refund me several weeks later, saying that they no longer issue certificates to individuals, only corporations. So much for that!

from btrfs.

What do they define as a "corporation"? Here in Australia, an individual can hold an "ABN" (Australian Business Number), which basically defines that individual as a "business" in a legal sense. I'd have to check the status of mine, but assuming this was sufficient, someone such as myself could possibly obtain a certificate and sign a release on your behalf.

Is there a similar loop-hole that could be exploited to obtain such a certificate?

Failing that, perhaps this is something the Linux Foundation could perhaps pursue, as I feel having btrfs available on Windows would be of great benefit to the community.

from btrfs.

@maharmstone Did you try asking @uroni again?

from btrfs.

@maharmstone

Did you looked at certificates offered by Certum?
https://www.certum.eu/certum/cert,offer_code_signing.xml

The standard code signing one is quite cheap (well, you may pay some extra 150 EUR for a smart card + reader if you do not have a compatible set, however, that should be only for the first time, I hope), especially one for open source developers. The problem is that the EV certificate is available only for companies. However, the standard code signing should work everywhere except WIndows 10 post-Anniversary booted with Secure Boot.

I have recently purchased a standard code signing cert from them (as an individual) and all went really smoothly (much smoother than with Symantec/VeriSign). Certum also clearly says what documents they require from you which is pretty nice since you may get ready before you make the purchase:
https://www.certum.eu/certum/cert,expertise_tsupp_cs_requaired.xml

from btrfs.

@sjlongland

IIRC I read a blog post from someone that purchased an EV certificate (for SSL, not code signing) for his ABN as a company, so the thing may be worth a try. Unfortunately, I do not have a link to the post.

from btrfs.

@MartinDrab - that's interesting. Are you certain that (with Secure Boot turned off) you can load drivers if they're signed with non-EV certificates? Go Daddy say that a "driver-signing certificate", which is what they call an EV certificate, is required for kernel drivers on Vista and above, but I can't see this repeated anywhere else!

from btrfs.

Maybe the guys who release kProcessHacker would be willing to sign the driver? It's worth asking around at a few of the open source projects that release drivers, for example, process hacker, dokan, and WinFSP.

The guy @billziss-gh is a really nice guy (talked to him on the WSL github). I'm tagging him and maybe he'll show up here!

from btrfs.

It also depends on whether you are booting with Secure Boot, or whether your WIndows 10 are a fresh installation or and upgrade from a previous OS version.

I assume that the CA would probably frown upon such use of its certificates. IANAL but I also assume
that there are legal implications associated with the process of signing a binary.

I thought so too but it seems nobody cares in practice. For example, a vulnerability in an old Virtualbox driver was being abused ITW and Oracle seemed not to care about revoking the signing cert. Probably, different laws in different countries are the problem, since the law enforcement has troubles to reach someone from different country. I experienced similar sort of problems when acquiring a certificate from Symantec some years ago (I finally passed the verification process but it was really difficult to obtain necessary documents in Czech Republic).

from btrfs.

@billziss-gh I think if you did an inspection of the code, compiled it, and signed with your cert, then it was sent onward to MS's hardware dev portal (possibly with funding from this community), you should be legally clear. I know that the ReactOS foundation had a driver signing program for opensource drivers a few years ago until their certificate expired, but if you'd be uncomfortable doing so, I guess maybe Mark could shop around to a few of the other OSS projects with driver signing certs.

I think the main problem is that he doesn't have a business that could be certified for that level of trust to get an appropriate cert.

from btrfs.

Just donated a small amount to help with the signing costs. Any updates about the status?

from btrfs.

Received it, thank you very much. I've ordered a certificate from Certum, as recommended above, and am currently waiting for it to come through. Hopefully it'll work!

from btrfs.

@maharmstone have you been able to get an EV cert from them?

from btrfs.

No, I'm trying with a normal one. I'll just ask for a refund if it doesn't work.

from btrfs.

I am afraid it will not work for Windows 10 signing as you will not be able to create a "hardware dev portal" account, and you will not be able to submit your driver for "attestation" signing. I would love to be proven wrong.

from btrfs.

I think you're right in that regard - at least for modern versions of Windows 10 with Secure Boot turned off - but from what I've read the WHQL doesn't allow GPL licences anyway, so it's a moot point.

from btrfs.

I am afraid it will not work for Windows 10 signing as you will not be able to create a "hardware dev portal" account, and you will not be able to submit your driver for "attestation" signing. I would love to be proven wrong.

I may test this case tomorrow or during this weekend (I have a Windows 10 Creators Update installed here). But my drivers always worked for me even on Windows 10 (with no Secure Boot), signed by a non-EV cert.

I think you're right in that regard - at least for modern versions of Windows 10 with Secure Boot turned
off - but from what I've read the WHQL doesn't allow GPL licences anyway, so it's a moot point.

You actually do not need to pass the WHQL tests, You may just sign your driver withou your cert and it should load.

The purchase procedure took several days in my case, mostly because I was waiting for a devlivery of the smardcard. Then, I generated private keys and submitted the certificate to them (together with my ID and an utility bill). That proceeded in a matter of hours (even during a weekend).

from btrfs.

@maharmstone Do you have any news on releasing signed version?

from btrfs.

from btrfs.

Ah, I see version 1.0.1, thank you so much!

from btrfs.