On 21 July 2015 at 11:25, Pascal Quantin <[email protected]> wrote:
> > Le 21 juil. 2015 11:38 AM, "Graham Bloice" <[email protected]> > a écrit : > > > > > > > > On 21 July 2015 at 07:06, Pascal Quantin <[email protected]> > wrote: > >> > >> > >> Le 21 juil. 2015 4:15 AM, "Yang Luo" <[email protected]> a écrit : > >> > > >> > Hi list, > >> > > >> > There's only 8 days left for Win10 RTM. It seems that both WinPcap > and Npcap need to decide which kind of Windows driver signing certificate > to buy. There are two kinds of certs: EV cert and non-EV cert. > >> > > >> > AFAIK, I think we don't need to buy an EV cert yet, as EV cert is > complicated to use (has to use a hardware key) and much more expensive. You > should have found out that current Npcap driver CAN be successfully > installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate > for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason > turns out to be: "To ensure backwards compatibility, drivers which are > properly signed by a valid cross-signing certificate that was issued before > the release of Windows 10 will continue to pass signing checks on Windows > 10." (see for details: > http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx). > My English is not that good, but I think this sentence means that if you > buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the > cert to sign a driver to any platform including Win10 until it expires. So > you can just buy a 3-year long cert before 7/29 and use it to sign any > drivers for these 3 years. 3 years later, we have no other choice but to > buy an EV cert, but who knows whether Microsoft would change its driver > signing policy again then? > >> > > >> > Am I understanding it right? > >> > > >> > >> Hi Yang, > >> > >> That's not my understanding. What matters here is the driver signing > timestamp, and not the expiry date of your certificate. > >> You have 3 cases: > >> - a driver signed with a timestamp prior to the 29th of July will still > load for backward compatibility (same rules as previous Windows versions) > >> - for drivers with a signature timestamp from the 29th of July or > later, you need to upload your signed driver on Microsoft portal to get a > counter signature that will allow to install it on Windows 10 > >> - 90 days after the 29th of July, the portal will not accept anymore > drivers not signed with an EV certificate > >> > >> So as you see the grace period will be short and you cannot escape from > the purchase of an EV certificate (unless you hurry up to Polish your > driver before the deadline;)). Even the counter signature step seems a bit > painful (I have not tried it myself yet). > >> > >> Pascal. > > > > I agree the intentions are not clear. The statement "To ensure > backwards compatibility, drivers which are properly signed by a valid > cross-signing certificate that was issued before the release of Windows 10 > will continue to pass signing checks on Windows 10." implies to me that > it's the date of the cross-signing certificate that counts. > > > > IMHO if it was the driver signing date, then the sentence should have > read "... drivers which are properly signed by a valid cross-signing > certificate that were signed before ..." > > > > Currently, when signing kernel-mode drivers you currently have to use > the MS cross-signing appropriate to the issuer of your SPC. I checked the > one we use in the day job, it was issued Feb 22 2011 and it's valid until > Feb 22 2021. Of course MS may revoke that cert, but then existing signed > drivers for Windows < 10 will also fail. > > > > I'll try to get some clarity on this. > > > > If this is the case it would be very good news, but in that case I do not > understand the 90 days deadline for the driver submission without EV > signing on Microsoft portal. > Anyway we will get the answer very soon :) > > Maybe they expect a big rush of driver signing requests with the release of Win 10, and know that the EV requirement will take time to get in place. -- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
