Can I self-sign user-mode USB drivers, or do I need to go through the Hardware Program?

%3CLINGO-SUB%20id%3D%22lingo-sub-2491947%22%20slang%3D%22en-US%22%3ECan%20I%20self-sign%20user-mode%20USB%20drivers%2C%20or%20do%20I%20need%20to%20go%20through%20the%20Hardware%20Program%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491947%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22s-prose%20js-post-body%22%3E%3CP%3EMicrosoft%20has%20deprecated%20their%20support%20for%20cross-signed%20root%20certificates%20for%20kernel-mode%20drivers%3A%20%3CA%20href%3D%22https%3A%2F%2Fknowledge.digicert.com%2Falerts%2FKernel-Mode.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fknowledge.digicert.com%2Falerts%2FKernel-Mode.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20occasionally%20release%20software%20with%20USB%20drivers%20(as%20a%20pair%20of%20.inf%20and%20.cat%20files).%20Until%20now%2C%20I%20have%20been%20signing%20them%20with%20signtool%2C%20using%3A%3C%2FP%3E%3CPRE%3Esigntool.exe%20sign%20%2Fa%20%2Fac%20%24ROOT_CA_CERTIFICATE%20%2Ftr%20%24TIMESTAMP_SERVICE_URL%20%2Ftd%20SHA256%20%24MY_CAT_FILE%3C%2FPRE%3E%3CP%3Eand%20verifying%20by%3A%3C%2FP%3E%3CPRE%3Esigntool.exe%20verify%20%2Fv%20%2Fkp%20%24MY_SIGNED_CAT_FILE%3C%2FPRE%3E%3CP%3EUnder%20the%20recent%20deprecation%2C%20this%20no%20longer%20works%20(details%20below).%20The%20apparent%20alternative%20seems%20to%20be%20treating%20my%20driver%20as%20though%20it%20were%20kernel-mode%2C%20and%20going%20through%20Microsoft's%20full%20qualification%20route%20--%20which%20seems%20like%20way%20more%20than%20I%20need%2C%20and%20has%20a%20lot%20of%20new%20requirements%20on%20the%20way.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EIs%20there%20an%20easier%20way%20to%20self-sign%20my%20driver%2C%20given%20that%20it%20does%20not%20require%20kernel-mode%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E(I%20am%20not%20well-versed%20in%20signtool%20and%20code-signing%2C%20so%20don't%20hesitate%20to%20tell%20me%20if%20I'm%20missing%20something%20obvious!)%3C%2FP%3E%3CHR%20%2F%3E%3CP%3EDetails%20on%20the%20signature%2Fverification%20failures%20I'm%20receiving%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EIf%20I%20continue%20to%20sign%20using%20%3CSTRONG%3E%2Fac%20%24ROOT_CA_CERTIFICATE%3C%2FSTRONG%3E%20%2C%20I%20get%20the%20following%20error%2C%20which%20seems%20due%20to%20the%20expiration%20of%20the%20cross-certificate%3A%3CBR%20%2F%3E%3CSTRONG%3ESigntool%20Error%3A%20The%20provided%20cross%20certificate%20would%20not%20be%20present%20in%20the%20certificate%20chain.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EIf%20I%20leave%20that%20out%2C%20I%20can%20successfully%20sign%2C%20but%20verification%20both%20with%20and%20without%20the%20%3CSTRONG%3E%2Fkp%3C%2FSTRONG%3E%20flag%20fails.%20Here's%20with%20the%20flag%3A%3CBR%20%2F%3E%3CSTRONG%3ESignTool%20Error%3A%20Signing%20Cert%20does%20not%20chain%20to%20a%20Microsoft%20Root%20Cert.%3C%2FSTRONG%3E%3CBR%20%2F%3EAnd%20here's%20without%20it%3A%3CBR%20%2F%3E%3CSTRONG%3ESignTool%20Error%3A%20A%20certificate%20chain%20processed%2C%20but%20terminated%20in%20a%20root%20certificate%20which%20is%20not%20trusted%20by%20the%20trust%20provider.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CHR%20%2F%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2520085%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20self-sign%20user-mode%20USB%20drivers%2C%20or%20do%20I%20need%20to%20go%20through%20the%20Hardware%20Program%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2520085%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1089769%22%20target%3D%22_blank%22%3E%40Ziv_W%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20appreciate%20you%20reaching%20out%20to%20us%20on%20your%20inquiries%20related%20to%20the%20MSIX%20toolkit.%20However%20the%20SignTool%20that%20you%20have%20been%20using%20is%20owned%20by%20the%20Visual%20Studio%20team.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20reach%20out%20to%20their%20internal%20team%20to%20requesting%20an%20answer%20to%20your%20question%2C%20as%20well%20as%20guidance%20on%20where%20their%20online%20community%20resides.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20will%20update%20you%20once%20I%20know%20more.%3C%2FP%3E%0A%3CP%3EThank%20you%2C%3C%2FP%3E%0A%3CP%3ERoy%20MacLachlan%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Microsoft has deprecated their support for cross-signed root certificates for kernel-mode drivers: https://knowledge.digicert.com/alerts/Kernel-Mode.html

 

I occasionally release software with USB drivers (as a pair of .inf and .cat files). Until now, I have been signing them with signtool, using:

signtool.exe sign /a /ac $ROOT_CA_CERTIFICATE /tr $TIMESTAMP_SERVICE_URL /td SHA256 $MY_CAT_FILE

and verifying by:

signtool.exe verify /v /kp $MY_SIGNED_CAT_FILE

Under the recent deprecation, this no longer works (details below). The apparent alternative seems to be treating my driver as though it were kernel-mode, and going through Microsoft's full qualification route -- which seems like way more than I need, and has a lot of new requirements on the way.

Is there an easier way to self-sign my driver, given that it does not require kernel-mode?

(I am not well-versed in signtool and code-signing, so don't hesitate to tell me if I'm missing something obvious!)


Details on the signature/verification failures I'm receiving:

  • If I continue to sign using /ac $ROOT_CA_CERTIFICATE , I get the following error, which seems due to the expiration of the cross-certificate:
    Signtool Error: The provided cross certificate would not be present in the certificate chain.

  • If I leave that out, I can successfully sign, but verification both with and without the /kp flag fails. Here's with the flag:
    SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
    And here's without it:
    SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


Many thanks!

2 Replies

Hi @Ziv_W,

 

We appreciate you reaching out to us on your inquiries related to the MSIX toolkit. However the SignTool that you have been using is owned by the Visual Studio team.

 

I've reach out to their internal team to requesting an answer to your question, as well as guidance on where their online community resides.

 

I will update you once I know more.

Thank you,

Roy MacLachlan

Thank you, @Roy_MacLachlan ! Much appreciated.

 

This forum is where I saw what seemed to be related questions, about certificates and signing drivers. If there's another good tool to use, that might be a good solution too. Thanks!