Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github Actions workflow to create exe/msi package, with valid driver signature #6

Open
bpetit opened this issue May 11, 2023 · 9 comments
Assignees

Comments

@bpetit
Copy link
Contributor

bpetit commented May 11, 2023

Procedure to sign the driver has been validated.

We now have to:

  • confirm this procedure with a valid/paid certificate => ensure that installation is smooth then (no warning)
  • automate the creation of a signed msi/exe + sharing it for each tag/release
  • automate testing the installation on a windows server machine => Github Actions workflow
@TheElectronWill
Copy link

I'm curious to see how you get the driver's certificate. Do you need to pay something to Microsoft every year?

@adelnoureddine
Copy link

Hi @bpetit, is there an ETA when the driver will be signed, and therefore easier to deploy as an msi/exe?

@bpetit
Copy link
Contributor Author

bpetit commented Nov 10, 2023

Hi,

It's a matter of days now

@bpetit
Copy link
Contributor Author

bpetit commented Nov 10, 2023

@TheElectronWill yes you need to pay for an EV certificate with a microsoft partner, then sign an hlkx archive you get from hlk studio running tests on your driver, then send it to MS.

It was a long journey, I'll try to document that somewhere.

@adelnoureddine
Copy link

Does this mean that Hubblo/Scaphandre or the community will not provide a signed installer for the driver to use everywhere?
i.e., like Intel Power Gadget where the user won't have to worry about signatures.

@bpetit
Copy link
Contributor Author

bpetit commented Nov 10, 2023

We will provide for sure an installer containing both scaphandre and the signed driver (exactly like Intel Power Gadget that includes a userland software and a signed driver).

We will also (and just did on the 0.0.4 release page) publish the signed .sys/.cat files of the driver (+unsigned .inf file), that anyone could embed in an installer.

Providing a package with only the driver inside is not a priority however, but forking the iss config file available in the scaphandre repository one could make a new iss config only embedding the driver and create a specific installer.

@adelnoureddine
Copy link

Thanks @bpetit.

@JohnAZoidberg
Copy link

JohnAZoidberg commented Oct 29, 2024

Hi, I'm also trying to build an open source Windows driver and I wonder how you signed this one. The way to sign drivers has apparently changed recently and I find the Microsoft docs very confusing.

Did you just use signtool and do the following?

signtool.exe sign /fd SHA256 /tr http://ts.ssl.com /td sha256 ScaphandreDrv.cat

Where have you got your EV cert and private key? I've got both in a FIPS yubikey.

After this signing you ran HLK on it and submitted those results to Microsoft's WHQL website?
Only then when they signed it, are we able to load the driver on devices without testmode, right?
Thanks! :)

@bpetit
Copy link
Contributor Author

bpetit commented Nov 4, 2024

Hi @JohnAZoidberg

This is actually a hell of a process, thanks to MS.

I have a very raw documentation for this, but it is still in french, I didn't take the time to translate it properly. I just added the quick and dirty google translation in the README : https://github.com/hubblo-org/windows-rapl-driver/?tab=readme-ov-file#how-to-sign-the-driver-ms-validated-avoiding-test-mode

Beware that the first step, get an EV certificate, can be long and costly. (and if you have an old smartphone like me, it could be a mess to).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

4 participants