views:

201

answers:

2

OK, I am working on developing a USB device. I have created a custom windows driver for the device based on a pre-made Windows driver from my MCU manufacturer. The driver works fine on Windows XP, and Windows 7 (32-bit), BUT on my Windows 7 64-Bit machine, it will not let me use the driver. The driver will install just fine but when i go to the driver properties (in device manager) it says "This driver is not digitally signed by Microsoft" and it will not let me use it. I REALLY don't want to pay 100's of dollars to Microsoft and hours of time to get this driver certified (for several reasons). Is there any way I can get around this other than telling my customers to go back to XP??? PLEASE HELP!

+1  A: 

For testing purposes, you can enable the test certificate and self-sign the driver.

To actually release it in the wild, it needs to be digitally signed to run on 64-bit systems, and there's no way around this. What are your reasons for not wanting to go through the signinf process?

Anon.
The signing process is expensive and complicated. it makes sense for companies like nVidia. For a small shop banging out low volume devices... the costs of the signing process can entirely kill the profitability of a product.
Chris Becke
Well first of all, I would have to pay for a Verisign ID which expires after a period of time (1 to 3 years). Then I would have to pay a certification fee per OS that I want to certify for. And my budget on this project is already higher than I wanted it to be.Second, I just don't like the principal of the thing. I won't rant on here because it won't accomplish anything but I just don't like that Microsoft is forcing me into their certification process.Why is this only a problem on 64 bit OS's?
Jordan S
Chris, you are exactly right. I work for "a small shop banging out really low volume devices".
Jordan S
If you pay for an SPC, you don't need to also pay Microsoft for each class of operating system you want to sign. You only need that if you decide to go through WHQL.
Anon.
As far as this only happening on 64-bit operating systems ... it's an important security measure against malware, but it's a breaking change if applied to an existing system.
Anon.
Anon can you give me a little more info on this SPC?
Jordan S
The Kernel Mode Code Signing Walkthrough whitepaper (http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx) goes through the process of signing release builds with an SPC.
Anon.
What is to stop you from using a test certificate for production software? Is it impossible or illegal?
Jordan S
If my company already has an SSL license is it possible to use that to save us some money to get a code signing cert?
Jordan S
Using a test certificate requires you to install it into the root Trusted Certificate Authorities, which then makes the machine show "TEST PURPOSES ONLY" in various locations.
Anon.
I'm not sure how already having an SSL license affects things - you'd likely want to talk to the issuing CA and see if they would also supply you with an SPC.
Anon.
+3  A: 

You don't have to submit your drivers for WHQL certification. Microsoft only demands that your code is signed with a digital certificate. You can choose where you buy the certificate, GoDaddy sells them for 179 $ per year.

EDIT: Microsoft has a deal with Verisign: first year for 99$. https://winqual.microsoft.com/help/default.htm#obtaining%5Fa%5Fverisign%5Fclass%5F3%5Fdigital%5Fid.htm

ZippyV
If my company already has an SSL license is it possible to use that to save us some money to get a code signing cert?
Jordan S
No they are not compatible. Is 179$ per year already too much?
ZippyV
No I don't think so. I might just get the VeriSign ID though. They are running a special for 99$ for the first year...
Jordan S