Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Attestation Signing — It’s NOT a Mystery

Attestation Signing — It’s NOT a Mystery

All of a sudden, you can’t load your driver on 64-bit Windows.  It works sometimes.  But it won’t install or load when Secure Boot is enabled.

You heard something about needing an EV Certificate… you got one… it doesn’t help.

What do you do now?

Over the past few weeks, we’ve been contacted by several folks — clients and non-clients alike — with a variation on the above story, in various levels of panic.  What they have in common is that they’re all absolutely mystified by the process that’s required to get their drivers to install under certain circumstances on newer versions of Windows.

Luckily, fixing this problem is not difficult or complicated… it’s just confusing and obscure.

First, understand that under certain conditions, your driver needs to be signed by Microsoft in order for it to load.  These conditions include clean installations of recent versions of Windows 10 and a system with Secure Boot enabled.

There are two ways you can get your driver signed by Microsoft:

  1. The traditional/hard way: You can run, and pass, the entire suite of Hardware Lab Kit tests, and then submit your results to Microsoft.  That’s real effort — Not entirely useless effort, by the way, given that running the HLK tests on your driver is considered a best practice.  But passing all those tests can be take time and be difficult for certain drivers.
  2. The easy way:  You can submit your driver for Attestation Signing, and have your signed driver package and executable back in your hands within 30 minutes or less (typically).

You read correctly:  You can get the signature necessary to install and load your driver without having to pass any tests, and just by submitting your driver and downloading the signed package.

It’s easy.  And, best of all, the Microsoft documentation team has actually put together a nice, clear, article that describe everything you need to know: Attestation Signing a Kernel Driver for Public Release.

The only thing you probably want to know is that instead of the hideous Microsoft MakeCab utility, you can use a nice little (free) GUI utility named IZArc (that’s an “I” not an “L”), that you can download from here.  I’ve mentioned this app before in a earlier blog post on this topic, but to be clear:  No, I have no relationship to and don’t know anything about the author of this utility. But his utility worked for me just fine.

Sooooo…

  • Get your company an EV Cert.  I know it’s unreasonably expensive, but just grimace and pay the ridiculous price, it’s not your money and there’s no other alternative.
  • Using the EV Cert, sign-up for an account on the Microsoft Hardware Dev Center.  This will require that you claim to have read and agree to a pile of documents, and that you sign a dummy file with your very expensive EV Cert and upload it.
  • Take your driver package and create a CAB file out of it.
  • Sign into the Microsoft Hardware Dev Center, indicate that you want to make an Attestation Signing submission, and then drag and drop your CAB file into the portal.
  • Wait a bit.
  • Download the signed package containing your signed executable.

Lest you think the above instructions are overly brief, go read the article on Microsoft.com that I linked above.  It basically says the same thing.

Before you ask:  Yes, we’ve done this here at OSR.  Multiple times.  It really is this simple.