Github Actions workflow to create exe/msi package, with valid driver signature

[bpetit]

Procedure to sign the driver has been validated.

We now have to:

• confirm this procedure with a valid/paid certificate => ensure that installation is smooth then (no warning)
• automate the creation of a signed msi/exe + sharing it for each tag/release
• automate testing the installation on a windows server machine => Github Actions workflow

[TheElectronWill]

I'm curious to see how you get the driver's certificate. Do you need to pay something to Microsoft every year?

[adelnoureddine]

Hi @bpetit, is there an ETA when the driver will be signed, and therefore easier to deploy as an msi/exe?

[bpetit]

Hi,

It's a matter of days now

[bpetit]

@TheElectronWill yes you need to pay for an EV certificate with a microsoft partner, then sign an hlkx archive you get from hlk studio running tests on your driver, then send it to MS.

It was a long journey, I'll try to document that somewhere.

[adelnoureddine]

Does this mean that Hubblo/Scaphandre or the community will not provide a signed installer for the driver to use everywhere?
i.e., like Intel Power Gadget where the user won't have to worry about signatures.

[bpetit]

We will provide for sure an installer containing both scaphandre and the signed driver (exactly like Intel Power Gadget that includes a userland software and a signed driver).

We will also (and just did on the 0.0.4 release page) publish the signed .sys/.cat files of the driver (+unsigned .inf file), that anyone could embed in an installer.

Providing a package with only the driver inside is not a priority however, but forking the iss config file available in the scaphandre repository one could make a new iss config only embedding the driver and create a specific installer.

[adelnoureddine]

Thanks @bpetit.

[JohnAZoidberg]

Hi, I'm also trying to build an open source Windows driver and I wonder how you signed this one. The way to sign drivers has apparently changed recently and I find the Microsoft docs very confusing.

Did you just use signtool and do the following?

signtool.exe sign /fd SHA256 /tr http://ts.ssl.com /td sha256 ScaphandreDrv.cat

Where have you got your EV cert and private key? I've got both in a FIPS yubikey.

After this signing you ran HLK on it and submitted those results to Microsoft's WHQL website?
Only then when they signed it, are we able to load the driver on devices without testmode, right?
Thanks! :)

[bpetit]

Hi @JohnAZoidberg

This is actually a hell of a process, thanks to MS.

I have a very raw documentation for this, but it is still in french, I didn't take the time to translate it properly. I just added the quick and dirty google translation in the README : https://github.com/hubblo-org/windows-rapl-driver/?tab=readme-ov-file#how-to-sign-the-driver-ms-validated-avoiding-test-mode

Beware that the first step, get an EV certificate, can be long and costly. (and if you have an old smartphone like me, it could be a mess to).