Building Veracrypt, getting "digitally signed driver required"
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi All,
We are building our own version of Veracrypt with a minor tweak to suit our embedded systems. We sign our code with a standard (not EV) code signing certificate. All was well until people tried to install our version on systems with UEFI secure boot enabled: users got the messages "Windows cannot verify the digital signature for this file..." and "A digitally signed driver is required...."
[cid:image001.png@01D30144.DAA7CBB0]
I have not had to sign software before so this is new to me. I have been reading the copious Microsoft documentation on this but I must admit it is confusing me as it appears to contradict itself in places. What are the steps we need to take to correctly sign the code, and do we need an EV certificate to do this?
Thanks in advance
Andrew
Hi Andrew,
Yes, EV code signing certificate is mandatory for signing drivers. Moreover, starting from Windows 10 version 1607 (Anniversary Edition) drivers must be submitted to Dev Portal in order to be signed by Microsoft (at least for new installation of Windows 10 version 1607).
You can find more details at https://www.osr.com/blog/2016/06/02/driver-signing-details-emerge/
Thanks for your very helpful reply
Hi,
After (finally) getting an EV certificate & registering with Microsoft I'm trying to get the files signed by Microsoft. However I'm beginning to think my approach is wrong.
Microsoft do not allow the upload of the complete installer .exe to their site for signing, but they do allow upload of .CAB files. I extracted the files from the .exe, created a .CAB file, signed it & uploaded it to their site. I'm expecting to be able to get back a signed version which I can then add extrac32 to in order to create the final .exe. I'm afraid as a newbie to this I am getting errors (latest is a missing .INF file, which I am sure I'll be able to fix) but this approach appears so convoluted compared to the previous rather neat build process I am beginning to think I am not going down the correct path. Is what I am doing correct or is their a better (neater) way?
Thanks in advance
Andrew.