Microsoft has announced that it is ending the ability to cross-sign drivers, effective 1 July 2021

Discussion in 'PC' started by Gyro Gearloose, Oct 29, 2020.

  1. Gyro Gearloose

    Gyro Gearloose Audiosexual

    Joined:
    Jul 8, 2019
    Messages:
    4,235
    Likes Received:
    1,849
    Location:
    Germany
    https://www.osr.com/blog/2020/10/15/microsoft-driver-updates-allowed-win7-win8/

    thx recoil
    --
    Microsoft has announced that it is ending the ability to cross-sign drivers, effective 1 July 2021. This will effectively make it impossible to release new or updated drivers for Windows 7, Windows 8, and Windows 8.1 systems, including Server 2012 R2. This is not an exaggeration.

    The only option that will remain available to devs who want to release drivers for versions of Windows other than Windows 10 will be to have those drivers pass HLK/WHQL testing. Unfortunately, not all drivers are even eligible for HLK/WHQL testing, and even for those that are eligible, getting some drivers to pass the HLK/WHQL tests is effectively impossible.

    I know this sounds like I’m exaggerating. But it’s actually the current plan of record. Read on.

    Let’s Review: Driver Signing Options Available in 2020
    I think we all know that Windows drivers need to be digitally signed in order to allow them to be installed and used. As of today, October 2020, there are three options for this signing:

    1. Attestation Signing — This applies to Windows 10 only. You create an account on the Microsoft Partner Center Developer Dashboard. When you have a driver package you want to release to the world, you sign it with your Code Signing Certificate, you upload it to the Dashboard, and Microsoft signs the package for you. You can then download the package and release it however you wish.

      This “works” because your Developer Dashboard account unambiguously identifies you to Microsoft, and Microsoft’s signature allows your driver to be installed.

    2. Cross Signing — This applies only to versions of Windows prior to Windows 10. You sign your driver package using your Code Signing Certificate and a “Cross-Certificate.”

      This “works” because you have proved your identify to the satisfaction of your Certification Authority (a level of proof that varies widely) that issued your Code Signing Certificate. The Cross-Certificate identifies the Certification Authority as one that Microsoft trusts. Together, your cert and the cross-cert allow your driver to be installed.

    3. Passing the HLK (historically called the WHQL) Tests — This applies to all versions of Windows. You install and run the tests defined by the Windows Hardware Lab Kit (HLK), which is easier said than done. The HLK produces a log file, which you sign and upload to the Microsoft Partner Center Developer Dashboard along with your driver package. The Dashboard reviews the HLK results, and if all goes well you download your signed driver package.

      This “works” for the same reason that Attestation Signing works: Your Developer Dashboard account unambiguously identifies you to Microsoft, and Microsoft’s signature on your driver package allows your driver to be installed.
    Microsoft’s Plan: Cross-Signing is Dead
    As of 1 July 2021, Microsoft is eliminating option #2, Cross-Signing. This will leave passing the HLK the only option for releasing drivers for Windows versions other than Windows 10.

    Microsoft first announced this plan back in the July 2019. And, quite frankly, we didn’t believe it. Like so many such misbegotten ideas (remember “All drivers must pass WHQL or they won’t load on Windows Server”) we hoped that the doc writers were misinformed and/or that the policy folks at Microsoft were floating this idea to gauge the community’s reaction.

    Since this announcement we here at OSR have consistently engaged with Microsoft in an attempt to determine the true plan for going forward. As I wrote to one my colleagues at Microsoft back in September 2019:

    I am certainly hoping I fundamentally misunderstand something here.

    But IF this is correct, this is a huge mistake. It’s basically Armageddon. And that’s no exaggeration. The vast majority of the drivers written by third parties out here in the world must install on production Win7 systems or later. If we can’t cross-sign them, and we can’t attestation sign them… how do we write new drivers that will load on non-Win10 systems?

    While our friends have certainly been both concerned and collaborative they have not been able to offer a definitive statement that says anything other than what’s been published.

    At one point I did hear a rumor that Attestation Signing would be extended to support Windows versions prior to Windows 10 (recall, that Attestation Signing only works for Windows 10 today). And now I’m not hearing anything about that possibility at all.

    So… Just Pass The HLKs?
    Some of you might be thinking: We can still just run and pass the HLKs, so we’ll be OK! I can only guess that the only people thinking this are those who either (a) already run/pass the HLKs, (b) have never before bothered to try to run and pass the HLKs.

    Installing and running the HLKs is a heavyweight, time-consuming, and often arduous, frustrating, and often annoyingly arbitrary process. It is primarily designed for testing hardware components for compatibility — and not really aimed at validating the vast eco-system of potential Windows drivers.

    Many types of Windows drivers are not eligible for testing by the HLKs. Many common types of Windows drivers — such a many filter drivers — fall into no specific testing category and basically force a test team to choose an arbitrary set of tests to run and attempt to pass. This is the HLK equivalent of forcing a square peg into a round hole. For example, let’s say you have a set of drivers that implement a feature that prevents permanent writes to a disk drive, like Windows Unified Write Filter. You test this entire complex of drivers as a disk drive, right? Obviously. Or not.

    Some types of drivers are theoretically eligible for HLK testing, but because of the specifics of the HLK tests have no chance of ever passing. An excellent example of drivers in this category are File System Isolation Minifilters. There are existing HLK tests that are inherently incompatible with the purpose of many such filters. As just one example, consider the case of an Isolation Minifilter that provides transparent encryption. A common feature of such drivers is that encrypted files often include some sort of metadata (groups, and keys, and such). An HLK test might write a file, close the file, and then query the file’s allocation size. Because the test “knows” the allocation policy of the underlying file system, it thinks it “knows” exactly how big the file should be on disk. But our encrypting Minifilter, in doing the work for which it is designed, changes the allocated file size by allocating space for metadata. The test therefore fails. There is no way to change this behavior in a way that will make both applications and the test happy.

    Another example of drivers that could theoretically — but not realistically — pass HLK testing, are drivers for devices that run on special-purpose systems that themselves will never work as an HLK client. When the hardware can’t be separated from the system, and the system does not support running the HLKs, there’s no chance for such devices to ever pass the tests.

    There are also devices that do not support the full range of behaviors that the HLKs enforce. For example, it is not the least bit uncommon for devices in certain embedded systems to expect to never be powered off. It might be possible, maybe, to get some of these devices to pass the HLKs with a massive amount of effort. But that’s still only some, and not all.

    The HLKs were never intended to be a quality bar for drivers for special purpose devices on purpose-built systems. The HLKs are compatibility tests to ensure that common devices work well with Windows, and provide users with the experience they expect, on common servers and desktop machines. And while passing the HLKs is certainly a best practice it’s just not realistic for every device, on every system.

    If This Doesn’t Change Lots of Folks Are Screwed
    Make no mistake: If this policy doesn’t change, the Windows driver ecosystem — and many big Windows users all over the world — are going to be in serious trouble.

    Windows 8.1 and Windows Server 2012 R2 are still under Extended Support by Microsoft, and will remain supported until January 2023. Windows Embedded 8 and Windows Embedded 8.1 are supported by Microsoft through July of 2023.

    So, Microsoft is still supporting these versions of Windows but IHVs, ISVs, and OEMs will not be able to release updated drivers for these supported OS versions under this plan.

    If this proposal doesn’t change, customers using these OS versions will be positively screwed. How? Let me provide some examples.

    In the past few years, here at OSR we have written brand new drivers for special-purpose systems that have been targeted a versions of Windows other than Windows 10. These are embedded-type systems used in medical equipment, homeland security hardware, and lab equipment.

    If this proposal doesn’t change, we will not be able to support or update these drivers. So… “Sorry, big government contractor… that big, multi-million dollar piece of equipment that you build for the government? We know you found a bug, but we can’t update the drivers anymore, because of Microsoft’s policy.”

    We regularly enhance and support products that are installed by commercial clients on (no exaggeration) hundreds of thousands of systems worldwide. Products that provide intellectual property protection and document security for companies and governments in the US, Canada, Europe, and all throughout Asia.

    If this proposal doesn’t change, we will not be able to update these drivers. “Sorry, healthcare providers and big financial institutions! Sorry high-tech firms! We can’t add features to or fix any bugs that get found in your document security system. Microsoft won’t let us update the drivers.”

    We have heard loudly, clearly and persistently, from the community at large and from our own clients, that the vast majority of drivers written today need to work on Windows versions dating back to Windows 7.

    If this proposal doesn’t change, we will not be able to update the vast majority of these drivers.

    We Can Change This — It’s Not Too Late
    One thing with which I have historically credited Microsoft is their willingness to listen to the community, and change their course when necessary.

    Two examples from recent history illustrate this very clearly.

    The first example was Microsoft’s plan that required an EV Certificate to be used to submit HLK results and driver packages to the Developer Dashboard. While it probably sounded like a reasonable requirement, here at OSR we noted that this would make life exceptionally difficult (if not impossible) for distributed organizations. Let’s say your dev team is in the UK and your test team is in the US. If your dev team’s management arranged for your Developer Dashboard account, how do they get the EV Certificate (which is irrevocably locked onto a particular hardware token) to the test team, so the test team can submit the HLK results? It just doesn’t work.

    When we discovered this, we brought the problem to the attention of the community. We asked OEMs, IHVs, and ISVs to have their executives raise this issue with Microsoft. They did this, and the policy was changed.

    Another example, mentioned earlier, was Microsoft’s plan to require that all drivers installed on Windows Server systems to pass the HLKs. Again, the OEM, IHV and ISV community spoke-up loudly and clearly about why this plan was perhaps well-intentioned but unrealistic. The policy was changed.

    Now Is The Time To Speak Up
    Requiring drivers to pass the HLKs in order to load on versions of Windows prior to Windows 10 is effectively no option at all.

    If you agree with this, it’s critically important that you alert your colleagues to this problem. Explain to them the pain this will cause. Encourage your management team to raise this issue to their Microsoft contacts. We know from past experience that Microsoft values the opinions of OEMs, IHVs, and ISV. We know from experience that Microsoft will listen to pushback on plans that may sound good in theory, but that the community recognizes are not workable in practice. We know from experience that Microsoft will change these plans, when the flaws are made clear.

    But you must act. You’ve got to raise this issue to your colleagues and your managers. Help them understand the criticality of this issue. You cannot wait until July 2021, when this policy goes info full effect, to act. You must act now.
     
    • Interesting Interesting x 8
    • Like Like x 2
    • List
  2.  
  3. SineWave

    SineWave Audiosexual

    Joined:
    Sep 4, 2011
    Messages:
    4,431
    Likes Received:
    3,569
    Location:
    Where the sun doesn't shine.
     
  4. studio5599

    studio5599 Producer

    Joined:
    Sep 25, 2011
    Messages:
    987
    Likes Received:
    91
    why would you want old versions of windows any ways? especially windows 7 no usb3 no thunderbolt memory is limited and much more old and out dated windows drivers . get with the times Windows 10 for President :woot:
     
    • Agree Agree x 3
    • Disagree Disagree x 3
    • Like Like x 2
    • Funny Funny x 2
    • List
  5. Mud Jones

    Mud Jones Platinum Record

    Joined:
    Sep 20, 2018
    Messages:
    240
    Likes Received:
    208
    Location:
    N.Y. USA
    Cool, everybody can finally dump all the old shit and we can get back to innovating again instead of worrying about how to run the latest tech on windows 95.

    :)
     
    • Funny Funny x 5
    • Agree Agree x 3
    • Like Like x 2
    • List
  6. Kluster

    Kluster Audiosexual

    Joined:
    Jan 1, 2018
    Messages:
    705
    Likes Received:
    652
    Win 10 is a pain but it's the only way to go, for me anyway.
    I'm not about to spend hundreds of hours trying to put modern software or hardware on a stone age OS.
     
  7. phumb-reh

    phumb-reh Guest

    This is not true by the way, MS will still support, say XP, but it's big bucks to get them to do it. If it's really a multimillion thing, it's affordable.

    I'm not a big Microsoft fan, but seriously, it's not like they're making a weird move by not supporting an OS that's been EOL for a couple of years by then, an OS that will not have new hardware made for it. Unless it's very specialized purpose built shit, but then the paid support thing applies again.
     
  8. SineWave

    SineWave Audiosexual

    Joined:
    Sep 4, 2011
    Messages:
    4,431
    Likes Received:
    3,569
    Location:
    Where the sun doesn't shine.
    As they say: to each their own. :) I run the latest Debian Linux on my main computer, a laptop, and a NAS [OpenMediaVault NAS uses Debian Linux], so nobody can say I'm running some "old shit". :wink:

    But music workstation is another thing, and W7 is just less problematic to set up, XP even more so. If you work with music professionally, you pick the OS that runs your stuff the best and most stable and efficient. Kinda like you should let your hardware pick what OS you should use as a music workstation OS. :yes:

    When it comes to W10, I wouldn't even think about using it if there wasn't for a LTSC version of it. That one is OK, but I have a stable setup, 4 networked computers [1 for NAS, 3 are Intel, 1 is AMD], laptop with latest Linux and W7 in dual boot, a desktop with W7 [that used to run XP, it has SCSI! :) for samplers] which sole purpose is for making music, and another desktop with latest Linux and W7 which is for making music in W7, and browsing and experimenting with making music in Linux, and just general usage.

    All W7s I use just for making music. It's a nice networked setup with a fast 8 I/O TP-Link switcher, and a NAS with 12TB of HDs in RAID5 for backup, and as an archive for all the stuff from the sister site. You really need a NAS for all the AZ stuff... :rofl: It comes pretty handy when you want to find some particular sound or an instrument... :wink:

    btw. MS and Apple OSes both don't have the brightest future with MS going more and more for cloud and making W10 into a "terminal OS", and Apple going iOS. On the other hand, more and more developers make their programs and plugins available for Linux platform, too. :wink:

    Cheers!

    p.s. My wife has a Macbook Pro running High Sierra, with Reaper, and for general usage. I like MacOS. Shame it's coming to an end. :sad:
     
    Last edited: Oct 29, 2020
    • Love it! Love it! x 2
    • Like Like x 1
    • Interesting Interesting x 1
    • List
  9. tzzsmk

    tzzsmk Audiosexual

    Joined:
    Sep 13, 2016
    Messages:
    3,629
    Likes Received:
    2,224
    Location:
    Heart of Europe
    we'll see...
    Microsoft is focusing on more lucrative things than Windows (revenue roughly 25% from Office, 10% from games, around 50% from server stuff and other services) so they aren't even bothering making Windows any better unless it makes people pay for more Microsoft products,
    maybe people will finally get tired of Microsoft bullshit and move onto Linux or MacOS more (I can imagine households leaving computers completely, since tablets and Smart TVs are good enough anyway),

    @SineWave what are you using your main computer for, since you run Debian?
    I've tried move onto Linux countless times, but things (audio interface, software etc..) just don't work :no:

    although I sincerely hate Windows 10, I must say it is a way to go unless one can go hackintosh way, particularly 1909 PRO build or 1809 LTSC build work just fine when properly tweaked (arguably more hassle than setting a proper hackintosh though imo),

    NAS is a must, speaking of its drives, from my own experience 4x4TB is significantly more silent than 4x12TB, but I definitely don't trust a computer to store data on its own, NAS makes things much easier, especially when using multiple computers and platforms,

    speaking of Macs, I actually happen to have 2012 13" MacBook Pro (i7, 16GB ram, 500Gig SSD), and it runs High Sierra flawlessly, no signs of coming to end
    :chilling:
     
  10. Bitmonkey

    Bitmonkey Producer

    Joined:
    Dec 18, 2019
    Messages:
    226
    Likes Received:
    78
    I said MS would do this on a Mac thread a while ago when everyone was complaining about Apple and Catalina and tons of PC users laughed and said this would never happen. This change is *exactly* the same as the app signing process for Apple.

    Your average end user wants this level of security because it helps with the reduction of malware and viruses being added to legit software.

    "If this happens lots of people are screwed' - yes but primarily its people who use cracked/pirated software and no actual software vendor gives a shit about them quite frankly.
     
  11. Vader

    Vader Platinum Record

    Joined:
    Jun 15, 2011
    Messages:
    523
    Likes Received:
    236
    Don't see any problem in stopping obsolete SO from running.
    Apple does this in every single update and people don't complain.
     
  12. Ad Heesive

    Ad Heesive Audiosexual

    Joined:
    Apr 21, 2019
    Messages:
    1,235
    Likes Received:
    980
    Just to add a perspective that has been usefully repeated on this site at least a million times already.

    IF, tomorrow, I wake up and find that Microsoft, and Apple, and every music software manufacturer that ever existed,
    have all totally disappeared in a puff of smoke, what happens next? :dunno:

    I will still have more music making technology in my house than I really need, more than I can thoroughly explore,
    far more than was available to all previous generations of wonderful music makers,
    and all of these toys will easily last me for the rest of my life. None of it is ever obsolete.

    So do I really care about how insanely restrictive tomorrow's software world might be?

    Maybe the only people crying about tomorrow's toys are those that aren't really playing with what they've already got.
     
    • Like Like x 2
    • Agree Agree x 2
    • List
  13. Billy Boils

    Billy Boils Kapellmeister

    Joined:
    Nov 28, 2017
    Messages:
    53
    Likes Received:
    47
    I had to look up what LTSC is, and I'm still pretty confused. My fulltime job is as a touring solo musician, and I am about to change my rig setup by introducing a computer to my rack. I'm paying a PC company to build it because I am a complete computer idiot. I am getting them to build it in a server rack case and I would love to know if this Windows LTSC would be good for my needs. The computer will only run DMXIS, Gig Performer, uTool, uRemote, and X32-Edit, and nothing else. In your opinion, would LTSC be appropriate for my needs, and if so, where do I get it from?
     
  14. panaman

    panaman Kapellmeister

    Joined:
    Jul 8, 2017
    Messages:
    248
    Likes Received:
    45
    no usb3 in win7 ? did you ever use win7 ?
    no installing of unsigned drivers? a simple google search:
    1. Hit the Win+R keys together to open the run dialog. Type gpedit. ...
    2. Expand 'User Configuration' -> 'Administrative Templates' -> 'System'. Click 'Driver Installation'.
    3. In the right panel, double click on 'Code Signing for Device Drivers'.
    4. Click Apply. Restart your computer to install unsigned drivers
    or:

    Step 2: After Windows enters WinRE, go to Troubleshoot > Advanced options > Startup Settings >Restart. Step 3: To install driver without digital signature, press F7 to choose the Disable driver signature enforcement option. Step 4: The system will boot to Windows and then you can install any driver that is not signed.28.09.2019

    i`m sure there are other ways.
     
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  15. Ad Heesive

    Ad Heesive Audiosexual

    Joined:
    Apr 21, 2019
    Messages:
    1,235
    Likes Received:
    980
    There's never a shortage of bollox when people are ignorantly cheer-leading for their favourite OS.
    Total nonsense - appropriately demolished by factual information from @panaman
    and as for 'memory is limited' in W7? :rofl:
    Tell us you have actually installed 192GB on your mega PC and still don't have enough!
    More nonsense. Driver signing and App signing are just NOT the same! in terms of impact on users,
    and your fantasy *exactly* emphasis won't change that.
    And that confusion / misinformation is probably what's causing some people to get their knickers twisted.
    THANK YOU @panaman
    Refreshing to see your factual information to counter balance all the ridiculous claims from the favourite OS cheer leaders.
    :like:
     
  16. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,236
    Likes Received:
    3,996
    Location:
    Europe
    LTSC runs just fine, the only problem being is designed for (big) companies, like the regular Win 10 Enterprise. AFAIK particulars or small/medium companies can't get it for a decent price. You pay more and you pay for batches (volumes) of licenses.
    But if you're only paying that company for "technical service" you can get a Windows LTSC ISO and activate it... ahem... "AZ-style" . lol
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  17. Billy Boils

    Billy Boils Kapellmeister

    Joined:
    Nov 28, 2017
    Messages:
    53
    Likes Received:
    47
    Thanks for your reply Xup. I will take your advice and act on it champ.
     
Loading...
Similar Threads - Microsoft announced ending Forum Date
Microsoft delays rollout of the Windows 11 Recall feature yet again PC Nov 1, 2024
microsoft visual C++ Lounge Aug 4, 2024
non-microsoft email servers/clients and secure email PC Jul 22, 2024
Defiant Microsoft pushes ahead with controversial Recall Software News Jun 8, 2024
microsoft sound recorder Software Oct 29, 2023
Loading...