vadimgrn
commented
2 years ago I don't think so. Certification costs money which I'm not going to spend. The second reason is that the driver is actively developing and there are still a lot of changes.
Open josephdunne-eaton opened 2 years ago
vadimgrn
commented
2 years ago I don't think so. Certification costs money which I'm not going to spend. The second reason is that the driver is actively developing and there are still a lot of changes.
vadimgrn
commented
2 years ago The certification will be the primary goal when the driver will become stable.
josephdunne-eaton
commented
2 years ago I see. That is unfortunate. Thanks for the prompt reply.
paulpv
commented
2 years ago Consider that many games with anti-cheat enabled won't run if they detect Windows is in Test Mode.
@vadimgrn Is there any reasonable workaround for PCs that want to trust this driver to not have to be run in Windows Test Mode?
It seems like test mode is required whenever actively attaching a binded device.
vadimgrn
commented
2 years ago There is no workaround. A certification costs money, at least Extended Validation (EV) Code Signing Certificate must be purchased. Its cost is about $700 per year (https://www.digicert.com/order/order-1.php).
paulpv
commented
2 years ago Thanks @vadimgrn!
Do you think it is possible for a fork with the willingness to pay for its own certificate [and set up a MS account and other obligatory tasks] and get this to work? I am, and it looks like others are too, willing to help fund this repo with a 1 or multi-year cert.
I had recently been reading those and related links before you posted them. :) I'll trod through them, but would love to find a simple but complete ~1 page readme on how to go through the signing process.
Is there any such a thing as "evaluation" EV code signing certs to try this out with to confirm if it will work and would be worth paying the money for? I suspect not, thinking the ability to legitimately sign code with an evaluation cert would defeat the purpose of code signing.
vadimgrn
commented
2 years ago I'm sure that a certificate evaluation isn't available. The simplest way is to make Windows 10 attestation signed drivers. This means a driver can be used without enabling Test Signing Mode. You don't have to initiate Hardware Certification process which could take much time and efforts.
DzzD
commented
1 year ago Hello,
I am looking for a stable & easy version of USBIP for windows, the last "cezanne" release works great for me (used for laser engraver and its camera), except once disconnection/reconnection wich is unstable and does require to reboot either windows and sometime the raspberry server, but this version does not require Test mode wich is great, from what I understood if the version require test mode it is require to stay in test mode as long as we need to use it ? that's it ?
what rour plan for the futur of your version ? this is a really great product, do you have any stable release date ?
vadimgrn
commented
1 year ago I do not have any release dates. The WDM driver is pretty stable. Signing requires money to buy certificate which I'm not going to spend. Develop branch has UDE driver which is stable too, but some devices don't work.
DzzD
commented
1 year ago which I'm not going to spend
Seems logical, maybe it could be funded via GitHub sponsorship ? or a different kind of crowdfunding ? (or even selling this product once it is no more stamped as " probable BSOD"), I would understand to have to pay a bit to use it in a non-test mode
vadimgrn
commented
1 year ago Those interested in a signed driver can donate to purchase EV Code Signing Certificate. I added two sponsorship methods.
nefarius
commented
1 year ago An EV certificate is only sold to companies, not individuals, in case you didn't know. Also you will need an Azure AD tenant and register a Microsoft Partner account, those at least come with no costs as of writing.
Also the EV cert only grants you submission to Microsoft, it is no longer possible to self-sign kernel drivers with the EV cert directly, it has been killed off quite a while ago.
Cheers
vadimgrn
commented
1 year ago Thank you for the information. If I can't buy EV certificate, this driver will never be signed.
nefarius
commented
1 year ago I shall keep my eye on this project then π
vadimgrn
commented
1 year ago There is no hope to release a signed driver :( https://community.osr.com/discussion/292357/driver-signing-options-for-an-independent-developer
nefarius
commented
1 year ago Microsoft is not interested in hobbyist drivers. Drivers significantly impact system stability and security. They want drivers done by professionals.
This had me spit out my coffee laughing π€£ I have followed the official fails of components by Microsoft, the "professionals" in this case, and as an open source developer myself have reported countless bugs and fixes to them over the years. This is why I avoid OSR, the elitism is so cringy, it hurts.
alexmi256
commented
1 year ago There is no hope to release a signed driver :( https://community.osr.com/discussion/292357/driver-signing-options-for-an-independent-developer
I may try to use a driver signing service once you feel it's stable enough that it's worth investigating
vadimgrn
commented
1 year ago As far as I know, such services are no longer an option since Win10.
nefarius
commented
1 year ago As far as I know, such services are no longer an option since Win10.
Correct, only one way is left and that is via EV through Microsoft.
levelad
commented
9 months ago Cheapest EV code signing certificate I have found: β¬749.00 gross for 3 years.
nefarius
commented
9 months ago Also make sure the cert provider is listed as supported by MS as documented here which Certum appears to be.
levelad
commented
9 months ago Oh, I overlooked IdenTrust, it's even cheaper.
TrustID EV Code Signing | Organization Identity | Hardware Storage
3 Year
SafeNet USB Token use existing
Certificate $497.00
Storage $0.00
Total $497.00
Free USPS shipping within
the U.S. Additional fees may apply
for shipping outside of the U.S.
Expedited delivery is available.But my problem is that there is no Windows server stub driver (cezanne) which is signed. And I don't want to set a production system in test signing mode. The cezanne attestation signed vhci driver for the client works fine.
Trying to pass a SmartCard reader from Server 2022 Hyper-V host to Server 2016 Hyper-V guest. Guess I have to buy a software like USB Redirector.
The whole certification process seems to be quite the hassle according to this blog post:
https://billauer.co.il/blog/2021/05/windows-drivers-attestation-signing/
Schuwi
commented
8 months ago While working on something completely different I just stumbled upon WinBtrfs and was reminded of usbip-win2 when I saw that their driver is apparently signed.
I searched/skimmed the relevant issues and found these: https://github.com/maharmstone/btrfs/issues/35 (especially https://github.com/maharmstone/btrfs/issues/35#issuecomment-331540153) https://github.com/maharmstone/btrfs/issues/270
Thought I'd just drop these here, maybe they help?
nefarius
commented
8 months ago My two cents on these topics since I've walked the walk since Windows 7...
TL;DR: there only exist two official ways to get a kernel driver signed for modern Windows editions (ignoring exploits, stolen certificates, timestamp tampering, UEFI hacks and whatnot):
Extra TL;DR: IMHO any approach requiring your user to change stuff like SecureBoot or Code Integrity registry settings or policies, you have already lost. Anti Virus and Anti Cheat solutions more and more look for these options and will cause collateral problems which will force the user to either remove your driver or to give up on their game or whatever DRM protected solution. You can take a guess what most people will abandon first if they're forced to do so π
Cheers
cooljimy84
commented
8 months ago Pass the device to the host then pass it through to the guest ? Then test mode is on on the host allowing the driver/device, then share it using hyper-v to the guest ? (RemoteFX USB device or something)
nefarius
commented
8 months ago Using Hyper-V implicitly turns on features like Code Integrity, Memory Integrity etc. I assume you'd need to have your hypervisor host run in test mode then (I have no idea if that is even possible, never tried it before). Even if so, not practical except for the 5 people world-wide who'd be fine running such a setup.
ashleyw-gh
commented
7 months ago The lack of a signed driver is sadly a no go for most people. Is there a possibility for the code to be signed by this organisation? https://signpath.org/ https://about.signpath.io/product/open-source "Under the umbrella of the SignPath Foundation, open source projects can apply for a free code signing certificate. In order to use the free certificate, the build process has to be fully automated and integrated with SignPath.io, to ensure that the resulting binary results directly from the source code checked into the repository"
fredemmott
commented
7 months ago The whole idea behind EV is to only be purchasable by corporate entities, if we ignore a black market situation you can not acquire one as an individual or hobbyist at all.
This isn't really the case: like IV code signing certificates more broadly, several CAs have been willing to issue EV code signing certs to sole proprietorships, but they've not advertised it. The flow usually goes "buy it, then contact support", though ssl.com is now advertising this: https://www.ssl.com/certificates/iv-ev-code-signing/buy/
While this doesn't require an LLC/Ltd./other distinct corporate entity (or the corresponding usually-annual paperwork/filing fees for one), it can require registering "I am doing business under this name" or similar; for example, you can register a 'doing business as' name with Texas with form 503 for $25 every 10 years.
fredemmott
commented
7 months ago The lack of a signed driver is sadly a no go for most people. Is there a possibility for the code to be signed by this organisation? https://signpath.org/ https://about.signpath.io/product/open-source "Under the umbrella of the SignPath Foundation, open source projects can apply for a free code signing certificate. In order to use the free certificate, the build process has to be fully automated and integrated with SignPath.io, to ensure that the resulting binary results directly from the source code checked into the repository"
SignPath is not (yet?) an option: https://about.signpath.io/product/editions
ashleyw-gh
commented
7 months ago thanks for seeing that. Because of all of this and no easy solution, I've taken a different approach. For anyone interested... I dug out an old RPI 3B I had in one of my IT cupboards, and I've stuck 2 dongles on that (ANT+ and Bluetooth for cycling equipment) and then used Virtualhere software with the RPI as the USB "server" and my remote GPU accelerated machine as the client. That way I can use a combination of Moonlight as a UI frontend to a Sunshine service (Nvidia Gamestream equivalent) on a remote windows VM with RTX3070 GPU passthrough on ESXi. I was nervous of using VirtualHere because the license is locked to a single server, but I thought using the RPI just for that purpose means the worst that can happen is the SD card in RPI might die but the license is tied to the RPI serial number which persists for the life of the device even after SD card swaps. I always prefer to use opensource for this type of connectivity, but ultimately US$49 to me was worth the price rather than spending hours of time and money battling with signing kernel drivers for windows. If at some stage in the future this usbip-win2 fork can be signed I'll re-look to see how it compares to VirtualHere.
If anyone is interested about 14 years ago we were dealing with hardware security dongles for bank software development and at the time we ended up running with; a Digi AnywhereUSB (G2) but then found a Belkin F5L009 that was about 1/5th of the price. but again these solutions are dependent on the continued availability of signed kernel drivers for windows and even back then problems of device drop outs etc were common.
eriklundh
commented
7 months ago I am looking into attestation signing for another project. I found this recent microsoft post: https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-attestation. It is three years more recent than e g the OSR post linked previously. It seems like MS might have made the attestation signing more approachable for independent developers by excluding drivers signed by attestation from being distributed through Windows Update.
alexmi256
commented
7 months ago For those using Windows 11 below 23H2 you might be able to use https://github.com/Flerov/TS-Changer to change signing mode on the fly. I also found a seller on Taobao supposedly offering EV Signing (782309659071) for $320US but I did't ask for details.
eebssk1
commented
1 month ago For those using Windows 11 below 23H2 you might be able to use https://github.com/Flerov/TS-Changer to change signing mode on the fly. I also found a seller on Taobao supposedly offering EV Signing (782309659071) for $320US but I did't ask for details.
I think they only sign the binary with the certificate itself. Not through windows hardware certifcating lab. You nned to sign through the WHQL lab for the driver to load.
eriklundh
commented
1 month ago I recently learned from an independent dev, and verified it with a senior MS engineer, that you can sign up for developer accounts for Microsoft Store that brings you some kind of EV signing path for apps. It seems to be a one time fee of about 20 USD for an individual dev, about 100 USD for a company. The trick is that the "Microsoft Store" signs the package, even if the price is 0 USD. Once your identity is verified, you, or your buildbot, can upload your installer package to Microsoft Store, there is some automated vetting, then it gets signed, apparently with a one-year certificate. You can point to Microsoft Store, or download the package with WinGet and put it as a signed package on your own website, - or Github. Just beware of the expiration date of each installer package.
I have read elsewhere that Microsoft plans to stop distributing third party drivers with Windows Update. Instead MS wants vendors to distribute through Microsoft Store, without any requirement that a package should be a cost to the end user.
But I have not yet tried the Microsoft Store route to code signing myself, since I am currently on my third month trying to get Azure Trusted Signing to work for signing my own apps, but that is about 10USD per month - forever.
/Erik
On Fri, Oct 25, 2024 at 4:16β―PM EBK21 @.***> wrote:
For those using Windows 11 below 23H2 you might be able to use https://github.com/Flerov/TS-Changer to change signing mode on the fly. I also found a seller on Taobao supposedly offering EV Signing (782309659071) for $320US but I did't ask for details.
I think they only sign the binary with the certificate itself. Not through windows hardware certifcating lab. You nned to sign through the WHQL lab for the driver to load.
β Reply to this email directly, view it on GitHub https://github.com/vadimgrn/usbip-win2/issues/13#issuecomment-2437935754, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJUSVBB4A3YS6RXZ5XVDFTZ5JHCHAVCNFSM6AAAAABQTMHLZOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZXHEZTKNZVGQ . You are receiving this because you commented.Message ID: @.***>
delebash
commented
3 days ago As another user stated https://signpath.org/ is free for open source and looks like it is easy to use with github @vadimgrn Any plans for this? TY.
eebssk1
commented
3 days ago As another user stated https://signpath.org/ is free for open source and looks like it is easy to use with github @vadimgrn Any plans for this? TY.
kernel signing requires a EV certificate and it's only for company. also https://github.com/vadimgrn/usbip-win2/issues/13#issuecomment-2437935754
eebssk1
commented
3 days ago @vadimgrn consider lock or move the issue to a discussion and clarify that personal certification is useless for driver signing.
vadimgrn
commented
3 days ago There is nothing to discuss, only a company may purchase EV certificate.
The most realistic way that someone who owns the company will build and sign the driver out of goodwill or for the price of an EV certificate.
nefarius
commented
2 days ago The most realistic way that someone who owns the company will build and sign the driver out of goodwill or for the price of an EV certificate.
Maybe I know someone who knows someone...
eebssk1
commented
2 days ago In the meantime,there are other way to load the driver without a ev signer.
Allow you load unsigned/self signed drivers without test mode: https://github.com/Mattiwatti/EfiGuard Become the certificate root of your system and load any drivers signed by yourself: https://github.com/valinet/ssde
Is there any hope of getting a signed driver? My organization has policies set which disallow use of test signed drivers.