SAR still unsigned.

[EarthasaurusRex]

I've been trying a 0.12 and 0.13 and they all seemed to be unsigned for me.

[ghost]

I've recently just got it to start working! Check this link here for ways to install unsigned drivers:

https://www.supportrix.com/kb/how-to-install-unsigned-drivers-in-windows-10/

I've tried using the Advanced Boot Menu method and it worked for me. You should be able to check whether the driver is working in the Device Manager (using the search function should bring it up for you) under "Sound, video, and game controllers." If "Synchronous Audio Router" has an exclamation icon next to it then it means that Windows won't run it. After getting it installed properly it should disappear. Hope this helps!

EDIT: This method seems to deactivate the driver upon restart; I tried using the enable test mode method and SAR still worked after several reboots after so maybe you could try that too if you'd like.

[ramonsmits]

Release 0.13.2 is not signed. I could install 0.13.1 without issues. Will future releases be signed again? I read the following https://github.com/eiz/SynchronousAudioRouter#unsigned-prereleased-drivers-note

Prereleases of SAR are unsigned. That means that it is required to enable testsigning boot option to make Windows load the driver. Else the driver won't be loaded.

However, I just looked at the releases and all releases are marked pre-release. Release 0.13.1 is signed and I could install that without any issues.

[amurzeau]

Signing a driver for Windows 10 requires:

• understanding the complex process of signing a driver by Microsoft
• and probably a registered enterprise or maybe just a AD directory
• a lot of money for an EV certificate (around 600€ / year)

Previous releases were signed using an older certificate that is now expired.

Maybe eiz is working on it, but sadly that's a lot of administrative work to get it signed. (which I'm not willing to do, this is too much for me and I don't have any issues using Windows with testsigning enabled).

[lahwran]

what sort of bounty would you/eiz need in order to be willing to go through the process for a given renewal period?

[amurzeau]

See also: https://discord.com/channels/373750800947871745/731985642950754366/799747195841937448

Now, signing a driver requires heavy administrative stuff (like having a registered enterprise). And that's mostly the issue, not a money issue. To quote eiz in the above discord link:

from time to time people have offered to chip in money to help solve this problem, and it's 100% not the issue. I can pay for any fees. The issue is I don't have the time or patience to navigate this bullshit, they just keep making it more and more complicated and locking things down more

See also: https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-769951998 https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/register-for-the-hardware-program https://www.reddit.com/r/windowsdev/comments/aloemr/just_what_is_needed_to_sign_a_windows_driver/eg1sow3?utm_source=share&utm_medium=web2x&context=3 https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

[btnmasher]

Reading that reddit thread you cited, it seems that the poster discovered that an EV certificate (the one requiring the registered enterprise and so forth) is only required for SecureBoot-compatible drivers, and a Standard Class 3 certificate can be used with SecureBoot disabled and not require testsigning mode to be enabled? Would that be a possibility?

[MPeti1]

I've recently just got it to start working! Check this link here for ways to install unsigned drivers:

https://www.supportrix.com/kb/how-to-install-unsigned-drivers-in-windows-10/

I've tried using the Advanced Boot Menu method and it worked for me. You should be able to check whether the driver is working in the Device Manager (using the search function should bring it up for you) under "Sound, video, and game controllers." If "Synchronous Audio Router" has an exclamation icon next to it then it means that Windows won't run it. After getting it installed properly it should disappear. Hope this helps!

EDIT: This method seems to deactivate the driver upon restart; I tried using the enable test mode method and SAR still worked after several reboots after so maybe you could try that too if you'd like.

Did you use test mode only for installation, or you left it turned on?

[Gamershy]

Signing a driver for Windows 10 requires:

• understanding the complex process of signing a driver by Microsoft
• and probably a registered enterprise or maybe just a AD directory
• a lot of money for an EV certificate (around 600€ / year)

Previous releases were signed using an older certificate that is now expired.

Maybe eiz is working on it, but sadly that's a lot of administrative work to get it signed. (which I'm not willing to do, this is too much for me and I don't have any issues using Windows with testsigning enabled).

I, personally, am unable to enable testsigning, so this sucks. Lmao.

[ramonsmits]

I, personally, am unable to enable testsigning, so this sucks. Lmao.

Just use something else then unless you want to donate a large sum of money so that someone can spend hours or days to get this done?

If not, keep your LMAO to yourself.....

[lahwran]

I think I was unclear before - how much would it cost to pay for someone to go through the frustration of figuring this out? I wasn't talking about paying for microsoft fees, I'm talking about cost of labor of getting it to work with microsoft's system so that the fees can be paid. My expectation is that the answer will be "geez, like, $5000 at least? I don't know?" and then that will be that unless someone turns up who wants it enough to spend either that much money to pay for the frustration-time of the core devs, or who wants to spend that-much-money's-worth of their own developer skills. But that's where I'm coming from in asking. But it's possible the answer is "If someone wanted to pay enough, I would be unwilling to accept the money due to suspicion"

[Gamershy]

I, personally, am unable to enable testsigning, so this sucks. Lmao.

Just use something else then unless you want to donate a large sum of money so that someone can spend hours or days to get this done?

If not, keep your LMAO to yourself.....

Uhm... I'm fairly certain you're taking my "lmao" personally. I was more laughing at my situation, not at the product/program. "this sucks" refers to it sucking that I'm unable to use the program. Please, I'm aware that it's impossible to tell inflections in text, but don't take "lmao" personally. Makes you look like a bit of a twat...

[InanimateCrbnRod]

Has anyone discovered a way to get this to work without the unsigned drivers option?

UPDATE: I won't have time to test until later but I tried editing the group policy so that whenever windows encounters an unsigned driver it ignores the warning. It installed easy peezy but I won't have time to see if SAR works correctly with this setup until later.

[cdhowie]

UPDATE: I won't have time to test until later but I tried editing the group policy so that whenever windows encounters an unsigned driver it ignores the warning. It installed easy peezy but I won't have time to see if SAR works correctly with this setup until later.

This must be an older version of Windows, or you don't have secure boot enabled. With secure boot the kernel will flatly refuse to load unsigned drivers at all; it's not a warning that can be skipped.

[Yonatan-Mijelshon]

Mabye if we all ponyed up for the needed registering and licensing, we could get SAR into Windows 11 and into the future!. The developer should launch some kind of gofundme. SAR is so much better than ALP, voicemeeter, even better than using the built in loopback functions of most audio interfaces. It makes Windows more flexible at audio routing than Mac, for chrissake

El El sáb, 11 sep. 2021 a la(s) 10:53, Chris Howie @.***> escribió:

UPDATE: I won't have time to test until later but I tried editing the group policy so that whenever windows encounters an unsigned driver it ignores the warning. It installed easy peezy but I won't have time to see if SAR works correctly with this setup until later.

This must be an older version of Windows, or you don't have secure boot enabled. With secure boot the kernel will flatly refuse to load unsigned drivers at all; it's not a warning that can be skipped.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-917411423, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATM3HVWMXSOXE6WYB277ZETUBNNNZANCNFSM4LDVJ4ZA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[InanimateCrbnRod]

Yeah how much would the cost be? I can contribute a little bit for sure. I mean, I'd certainly purchase SAR as a product. Right now I'm using ASIO Link Pro, which gets the job done but its slightly more limited than SAR, plus it gives me issues with pro tools which just can't handle asio changes in windows. SAR would be really nice but I can't use it if I have to run in test mode.

[InanimateCrbnRod]

looks like the prices range from 250-500/year depending on how many years you sign up for. Unfortunately I'm pretty broke but I can probably afford around $70. If I book a good gig this month I might be able to do a little more. #freelancelife

[Yonatan-Mijelshon]

if the price is THAT low, from my vantage point (I use this for work every week, channeling various audio sources like Sonobus and Reaper in an out of Zoom and OBS) it would be a no brainer, really. A donation icon could be added to SAR webpage... I mean, don't we all want it to work without the unsigned driver shenanigans? I for one really want to migrate to Windows

11. I was fearing the cost for signing a driver would be up in the thousands... Look, I am in Latin America, 3rd world country, but I am willing to pledge US$100 towards this happening, and be the first to do so if needed, if the developer is reading this... please implement a donation channel, so we can jumpstart the whole process and get it by October 5, when Windows 11 will launch!

Yonatan

El sáb, 11 sept 2021 a las 15:21, InanimateCrbnRod (< @.***>) escribió:

looks like the prices range from 250-500/year depending on how many years you sign up for. Unfortunately I'm pretty broke but I can probably afford around $70. If I book a good gig this month I might be able to do a little more. #freelancelife

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-917450788, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATM3HVUTZNZEGHEF62BW4O3UBOMZNANCNFSM4LDVJ4ZA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[amurzeau]

The $$ cost is not really the issue, it's the process itself. See https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-771972441

[InanimateCrbnRod]

The comment is vague, it just says its difficult. How can we make it less difficult? I really want to support the developers and not only would i purchase the software but I have others I could convince to purchase as well. I could also maybe help in other capacities. I would just really love better asio support in windows and SAR is the best bet I've found, unfortunately its too cumbersome for me to use in its current state without driver-signing. Any way I can help please let me know i really want to make this happen

EDIT: I read the links below the comment and understand the situation a little better now. I would be happy to research it more and try and come up with a streamlined solution on Monday when I have free time.

[amurzeau]

Basically, you need to have a registered company to have an EV certificate, which is needed to get the driver properly signed. That's one of the deal breaker. See https://community.osr.com/discussion/292357/driver-signing-options-for-an-independent-developer

Tim_Roberts - September 2020

No, there is no alternative. You are correct that the GoDaddy certificate will not work for Windows 10. For Windows 10, your driver must be signed by Microsoft itself. In order to do that, you have to create a Hardware Dashboard account. To do THAT, you need an EV certificate. To do THAT, you have to be a corporation. Individuals cannot get one.

An open source driver would usually be released in source form. That doesn't need a certificate, of course. The people who want to build and use your driver would either need their own certificate, or to put their system in "test" mode.

Source is here: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/register-for-the-hardware-program

Information I've found about signing drivers

Recent changes

Kernel-Mode Code Signing Requirements for Public Release of a Driver:

Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Microsoft through the Hardware Dev Center. Valid signatures can be obtained by either Hardware Certification or Attestation.

Driver runs on	Drivers signed before July 1 2021 by	Driver signed on or after July 1 2021 by
Windows Server 2008 and later, Windows 7, Windows 8	WHQL or cross-signed drivers	WHQL or drivers cross-signed before July 1 2021
Windows 10	WHQL or attested	WHQL or attested

Hardware Certification requires to register the hardware program:

• If you have an existing organization Dev Center account that you want to use for the Hardware program, sign in with it before you begin registration.

• You must have an Extended Validation (EV) code signing certificate. Check whether your organization already has a code signing certificate. If your organization already has a certificate, have the certificate available as you will be asked to sign a file. If your organization does not have a certificate, you will need to buy one as part of the registration process.

  For information about code signing certificates and how to get a certificate, see Get a code signing certificate.

• You will need to sign in with your organization’s Azure Active Directory (Azure AD) Global administrator account. If you don’t know whether your organization has an Azure AD directory, contact your IT department. If your organization doesn’t have an Azure AD directory, you must be able to create one.

• You must have the authority to sign legal agreements on behalf of your organization.

Attestation signing requires:

1. Acquire an EV Code Signing Certificate (This is a requirement for step 2.)
2. Register your company for the Partner Center
3. Download and install the Windows Driver Kit
4. Create a CAB files submission
5. Sign the CAB file submission with your EV Cert
6. Submit the EV signed Cab file using the Partner Center
7. Validate that the driver was properly signed
8. Test your driver on Windows 10 for Desktop

Import thing to note about attestation signing:

An attestation signed driver works on Windows 10. It does not work on earlier versions of Windows, such as Windows 8.1 and Windows 7, and is not supported for Windows Server 2016 and later.

Summary

Hardware certification requires doing many tests using Windows HLK Studio and sending the result along with the driver to Microsoft. I admit I don't fully understand everything about this process. Attestation signing is "easier" but still requires a company to take over the driver signing process.

Other sources

http://wrogn.com/tag/driver-signing/ https://www.davidegrayson.com/signing/

https://www.ghacks.net/2020/11/30/reminder-supports-for-root-certificates-with-kernel-mode-signing-capabilities-ends-next-year/ https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-signing-changes-in-windows-10-version-1607/ba-p/364894 https://borncity.com/win/2021/01/07/windows-10-achtung-treibersignierung-ndert-sich-2021-alt-treiber-nicht-mehr-nutzbar/

[InanimateCrbnRod]

Thank you for the succinct information! I am going to do research o Monday when I'm free and reply here. If an LLC can count as a corporation and it doesn't cost much to become a Microsoft partner, then I might be able to be your corporation. Will report back later, thank you.

UPDATE: In the meantime, the developer mentioned that former versions of SAR used a now expired certificate. Would it then be possible to sign the driver using something like this? :
https://github.com/lnslbrty/PastDSE

ALSO, would just using EFIGuard allow us to run the driver for now?? I'm trying to figure out how unsecure that would make my system but a lot of this stuff is over my head

[InanimateCrbnRod]

Sorry, not trying to spam this thread, I am just hyper-focused on this right now (which sucks because I'm supposed to be working haha). My main problem is that my work computer is also my gaming computer and I don't want to constantly be rebooting in and out of test mode (because of anti-cheat). This github page is a little confusing but would it be possible to sign SAR with this?? and then anyone who wants to run SAR outside of test mode could just use this driver enabler?

https://github.com/valinet/ssde

[amurzeau]

yes you may be able to use it, if you can do this:

• Generate a self signed certificate (this should not be a problem)
• Set that certificate as the platform key in the UEFI BIOS (I don't know if all BIOSes support this, this can be the major thing)
• Sign the SAR driver with that certificate
• Sign the SSDE driver with that certificate
• Use SSDE to install everything in Windows so it let you load drivers signed by your custom certificate

This can be done individually by anyone who want to try, but this can't be done globally for SAR releases as this would require everyone to use the same platform key whose private key would be public by being in GitHub release files (which I'm not comfortable with).

[amurzeau]

Read that README, it contains a good summary of how it works: https://github.com/HyperSine/Windows10-CustomKernelSigners (the other article is rather long)

[InanimateCrbnRod]

thank you so much for responding! I completely agree about not wanting to share platform keys! The article is extremely confusing for me but I'm gonna do my best to understand it when I have the time to focus on it. Thanks again. Would I really have to re-install all my past and future drivers with ssde?? That sounds like a hassle. or does it sound worse than it actually is? Thanks again

[amurzeau]

I think you need so sign only drivers that are unsigned but not existing drivers already signed by Microsoft. But if the SAR driver changes, you will need to re-sign it if you want to use it.

[InanimateCrbnRod]

Oh gotcha, that's not a problem at all! Can't wait to look into this later, I hope it works

[cdhowie]

Thank you all for looking into this. I appreciate the time you're putting into getting this sorted. (It's exactly the kind of thing I'd've tinkered with when I was in college but now lack the free time for. 😢 )

[InanimateCrbnRod]

I'm still trying to get the workaround to work using ssde. I'm almost there but ran into a snag. in the meantime, I'm trying to sign the SAR driver but I have some noob questions.

-I extracted the msi, and I see two DLLs, and two Sys files. I'm assuming I sign all four files. Do I sign them with my Kernel-Mode certificate or my root authority one? or my UEFI/PK one?? I'm assuming I use the kernel mode certificate on the two sys files, its the DLL's I am confused about

-After signing them, how do I repackage the msi, or alternatively how do I install them without the msi?

Thanks!

UPDATE: same questions apply but just wanted everyone to know that I have ssde working now and can run self-signed drivers on windows 10 now. If anyone would like to know how I can help. Its not easy and you should make a full backup of your OS drive with macrium reflect or something beforehand, but it is doable.

UPDATE 2: Okay so the snag I've hit now is that the workaround with ssde somehow disables the ability to use advanced startup so I can't disable Driver Signature enforcement to install the MSI package. My plan was to install, then sign the files individually with my own certificate. I can't use testmode without disabling secure_boot and I don't want to do that

UPDATE 3: SUCCESS!!!!!!!!! I am running the latest SAR in Reaper as we speak on windows 10 without testmode.

[z0w13]

@InanimateCrbnRod I'm running into issues with the Policy file, did you generate your own or use the bin file?

[InanimateCrbnRod]

I used the one that was supplied, make sure you sign it with your UEFI certificate and rename it properly

On Sat, Sep 25, 2021, 3:23 PM Zowie @.***> wrote:

@InanimateCrbnRod https://github.com/InanimateCrbnRod I'm running into issues with the Policy file, did you generate your own or use the bin file?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-927171512, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOZVYZBL6Q3LTYDRHF6YRG3UDYOU3ANCNFSM4LDVJ4ZA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[markjfisher]

UPDATE 3: SUCCESS!!!!!!!!! I am running the latest SAR in Reaper as we speak on windows 10 without testmode.

Can you perhaps give a simplified step by step process for getting this done please?

• did you start with no drivers installed?
• what files did you download?
• what order did you run things in, and did it require reboots?

A simpler step by step process for SAR will greatly help the community and reduce the chance people will run into exactly the same issues as you did on the way.

Really glad to see some progress on this, as I've been sat in Test Mode for a few months, and would really like to have a simple process I can follow to remove that.

[InanimateCrbnRod]

UPDATE 3: SUCCESS!!!!!!!!! I am running the latest SAR in Reaper as we speak on windows 10 without testmode.

Can you perhaps give a simplified step by step process for getting this done please?

* did you start with no drivers installed?

* what files did you download?

* what order did you run things in, and did it require reboots?

A simpler step by step process for SAR will greatly help the community and reduce the chance people will run into exactly the same issues as you did on the way.

Really glad to see some progress on this, as I've been sat in Test Mode for a few months, and would really like to have a simple process I can follow to remove that.

I can perhaps make a step by step when I have time, but I basically just followed the guide here: https://github.com/valinet/ssde its confusing and you have to jump back and forth between his guide and an older one but if you take your time you can get through it. just make a 1:1 mirror of your OS drive before you start just in case. Honestly though I have switched back to ASIOLINK Pro. SAR does indeed have better latency, but routing with it is very confusing and I didn't realize that you have to leave your DAW open the whole time. ASIOLINK Pro has latency that is almost as good, and is at least significantly better than voicemeeter. It just doesn't work too well with pro tools, but nothing really does anyway, its a trash program.

Would there be a way to update SAR so that it always runs as the OS's main audio device even without the daw running? I would just love to set up permanent audio routing on my computer without having to use virtual cables all the time or use a DAW or OBS as a mixer. Basically like aggregate audio for Mac but better would be nice. I'm rambling now though sorry

[markjfisher]

I start SAR through Jack Audio, it uses the "ASIO: Synchronous Audio Router" as its interface, which starts the whole show going, and also sets up the routing from my pre-saved config, so no DAW running. I also run Catia at startup for easy visualization of the routing, and on the fly changes I want to make. I then have Pedalboard2 to do any VST amending of inputs to outputs (e.g. LoudMax for discord audio so I never have to edit my friends volume levels individually). I had a look at ASIO Link Pro, and didn't like the interface at all. I find SAR with Jack infinitely better. But horses for courses.

[markjfisher]

The issue I have with the doing the SSDE changes is the need to backup my OS before any changes. feels super OTT and risky if that's the recommendation.

[MPeti1]

and I didn't realize that you have to leave your DAW open the whole time

@InanimateCrbnRod as markjfisher said, you don't need to use a full fledged DAW, but instead you can use something like Jack along with QJackCtl. Then you can set up QJackCtl to automatically start when you log in, if that's enough.

[MPeti1]

The issue I have with the doing the SSDE changes is the need to backup my OS before any changes. feels super OTT and risky if that's the recommendation.

Well, you don't need to do it, but when I do such and smaller changes to Windows, first I always want to make a full backup of the system partitions in case I break something in the process.

[lhwdev]

I got it worked with https://github.com/valinet/ssde. That document was quite confusing... I didn't know how to repackage this, so I just enabled test mode, installed, replaced files, then followed instructions.

(I also written how I did it, if you wonder)

[InanimateCrbnRod]

Sorry I never updated on this thread all, got sidetracked and forgot. I did not end up staying with SAR. I didn't want to use Jack-router since I find their software a little tedious and I didn't want to leave a daw open all the time, plus I had trouble with Pro Tools (Reaper worked fine). I ended up going back to AsioLinkPro for routing audio out of DAWs and for application-to-application routing I use Virtual Audio Cable. I also route stuff on a per app basis which works natively in Windows 11 except for Daws and asio related programs. Its a little more manual setup but it works for my needs. If anyone still wants to give SAR a try without running test mode I can confirm that lhwdev's method works, it's exactly what I did and a much better write-up than I could have done. Thanks all!

[markjfisher]

Coming back to this with a new Windows 11 PC, managed to follow @lhwdev 's instructions, installed PK, root CA, kernel driver cert and platform key.

I kept secure boot off, and enabled test signing mode (with windows Test Mode showing), installed SAR latest, then manually signed all the files in the SAR install directory with my platform key using 'signtool'.

Eventually disabled signing mode, and enabled secure boot again, and both ssde and SAR are showing as running correctly.

This took me 3 reinstalls of windows 11, and a lot of time and experimenting to finally get working. The key I think was not enabling secure boot, and keeping my windows in test mode until I'd installed the latest SAR, then replaced all the install files with self signed ones, and then disabling test mode and enabling secure boot.

I don't actually understand why I need ssde at all, as I had SAR working fine after signing the files with my own platform key.

[InanimateCrbnRod]

Glad you got it working at least! I actually switched back to ASIOLinkPro which still works on windows 11. It suits most of my needs

On Sun, May 28, 2023, 11:29 AM Mark Fisher @.***> wrote:

Coming back to this with a new Windows 11 PC, managed to follow @lhwdev https://github.com/lhwdev 's instructions, installed PK, root CA, kernel driver cert and platform key.

I kept secure boot off, and enabled test signing mode (with windows Test Mode showing), installed SAR latest, then manually signed all the files in the SAR install directory with my platform key using 'signtool'.

Eventually disabled signing mode, and enabled secure boot again, and both ssde and SAR are showing as running correctly.

This took me 3 reinstalls of windows 11, and a lot of time and experimenting to finally get working. The key I think was not enabling secure boot, and keeping my windows in test mode until I'd installed the latest SAR, then replaced all the install files with self signed ones, and then disabling test mode and enabling secure boot.

I don't actually understand why I need ssde at all, as I had SAR working fine after signing the files with my own platform key.

— Reply to this email directly, view it on GitHub https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-1566174332, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOZVYZCQTTWPY4QVVPSZMF3XINVPNANCNFSM4LDVJ4ZA . You are receiving this because you were mentioned.Message ID: @.***>

[markjfisher]

For anyone wishing to sign files manually

signtool sign /fd sha256 /a /ac C:\win-signing\root-ca\cert.cer /f C:\win-signing\kernel-mode-driver\private.pfx /p PASS1234 /td sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp .\SarAsio.dll 

etc. I had all the files from @lhwdev 's article in c:\win-signing and the SAR files in my CWD

[Yonatan-Mijelshon]

SAR will work perfectly in windows 11 WITHOUT doing any self-signing. My experience is this: I had an unsupported gen 6 I5, so I googled and downloaded a Windows 11 ISO with a hack that disables the test for Secure Boot. So I ran w11 without that, from the beginning. Then, the steps to install SAR were the regular ones.

Hope this helps somebody, and hope this message doesn't break any rules!

Y

On Sun, May 28, 2023, 12:35 Mark Fisher @.***> wrote:

For anyone wishing to sign files manually

signtool sign /fd sha256 /a /ac C:\win-signing\root-ca\cert.cer /f C:\win-signing\kernel-mode-driver\private.pfx /p PASS1234 /td sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp .\SarAsio.dll

etc. I had all the files from @lhwdev https://github.com/lhwdev 's article in c:\win-signing and the SAR files in my CWD

— Reply to this email directly, view it on GitHub https://github.com/eiz/SynchronousAudioRouter/issues/86#issuecomment-1566175830, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATM3HVVD5S5VQMKKNQR3MI3XINWDLANCNFSM4LDVJ4ZA . You are receiving this because you commented.Message ID: @.***>

[ridingtheflow]

Just FYI, you should be carefully checking SiPolicy that above instructions produce.

One from original page (Geoff Chappell's) clearly states is allows any driver. Even ones which use New-CIPolicy cmdlet have 2 significant points:

• It will scan your System32 and add all certs they find as trusted. If you already have some vulnerable driver (or even spyware/malware), it will be added as trusted. Also they add cert authorities which arguably never should be added in first place (e.g. some less scrupulous third party cert providers)
• Most importantly - it will create policy with Enabled:Audit Mode. Unless you remove this section, it will allow any driver to load. That's because this is debugging option intended to check which drivers will fail, but it will simply log the warning in event viewer (inside Application and Services/Microsoft/CodeIntegrity/Operational), but will actually still load any driver, unsigned or with invalid signature.

Posting this because I saw lot of assumptions from misunderstood people that above instructions are "most secure way to use self-signed drivers", because if they are followed verbatim without further correction & checking of SiPolicy, they are completely exposing your system like test mode does (and maybe even more).

[ecruz1986]

I think we need an updated guide in a way that doesn't risk having to reinstall Windows 3 times, and doesn't add those security risks... @lhwdev could you maybe review your guide?

If we have a 100% safe guide, maybe it could become "official" and be referenced in the main project page as the recommended way to install SAR.

[soleera]

As of Windows 11 23H2, it's possible to install the ConfigCI powershell module without needing Education/Enterprise editions: gci $Env:SystemRoot\servicing\Packages\*ConfigCI*.mum | % { dism /online /norestart /add-package:"$_" } This makes it much easier to customize and recompile SiPolicy.xml, addressing the problems @ridingtheflow mentioned. There's also a GUI interface called WDAC wizard to help make the policy editing process a little easier.

As an example, this is what my current working SiPolicy.xml looks like:

<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.2.2.1</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Inherit Default Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Update Policy No Reboot</Option>
    </Rule>
  </Rules>
  <EKUs>
    <EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="" />
    <EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="" />
    <EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="" />
    <EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="" />
  </EKUs>
  <FileRules />
  <Signers>
    <Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION_0">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_WINDOWS" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION_1">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_ELAM" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION_2">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_HAL_EXT" />
    </Signer>
    <Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2_3">
      <CertRoot Type="Wellknown" Value="06" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1_4">
      <CertRoot Type="Wellknown" Value="05" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5_5">
      <CertRoot Type="Wellknown" Value="04" />
      <CertEKU ID="ID_EKU_WHQL" />
    </Signer>
    <Signer Name="MincryptKnownRootMicrosoftCodeVerificationRoot2006" ID="ID_SIGNER_MICROSOFT_CODEVERIFICATION_2006_0_0">
      <CertRoot Type="Wellknown" Value="08" />
    </Signer>
    <Signer Name="Localhost Kernel Mode Driver Certificate" ID="ID_SIGNER_LOCALHOST_0">
      <CertRoot Type="TBS" Value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
      <CertPublisher Value="Localhost Kernel Mode Driver Certificate" />
    </Signer>
  </Signers>
  <SigningScenarios>
    <SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 02-06-2024" Value="131">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION_0" />
          <AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION_1" />
          <AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION_2" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2_3" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1_4" />
          <AllowedSigner SignerId="ID_SIGNER_WHQL_MD5_5" />
          <AllowedSigner SignerId="ID_SIGNER_MICROSOFT_CODEVERIFICATION_2006_0_0" />
          <AllowedSigner SignerId="ID_SIGNER_LOCALHOST_0" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners />
  <HvciOptions>0</HvciOptions>
  <Settings />
</SiPolicy>

[soleera]

Also, once you have custom driver signing working, you can install SAR with these steps:

1. Unpack the installer: cd <download folder> ; msiexec /a SynchronousAudioRouter_x64.msi TARGETDIR=<extract dir>
2. Sign the .cat files: signtool sign /fd sha256 /ac <cert dir>\localhost-root-ca.der /f <cert dir>\localhost-km.pfx /p <password> /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp '<extract dir>\Synchronous Audio Router\SynchronousAudioRouter.cat' '<extract dir>\Synchronous Audio Router\SarNdis\SarNdis.cat'
3. Run the extracted installer: msiexec /i <extract dir>\SynchronousAudioRouter_x64.msi

[Vacyyyy]

Leaving this here so nobody else wastes the time: self-signing doesn't seem to work on Tiny11.