USBIP Win - Sign by EV CodeSign certificate

[koudis]

Hello all,

it will be really nice to have usbip win driver signed properly. The driver must be signed by EV CodeSign cert which is not cheap.

Once the community agrees that the driver is stable I can discuss with our CEO about signing the driver by our EV Cert.

@cezanne let me known when the EV CodeSign will be needed.

[cezanne]

@koudis: It's great to hear the news from you. EV certificate will be required for using usbip-win at production level.

But usbip-win kernel drivers are still unstable and lacks some functionality such as application compatibility. Current WDM-based vhci does not solve several issues such as #111 even though a commercial virtual USB product has no problem. Maybe, most application and USB libraries depend on microsoft provided pure root hub(usbhub.sys or usbhub3.sys).

Thus, I’m currently developing a kmdf-based vhci via UDE(USB device emulation).

[hnwentao]

Come on

[Ale268]

@cezanne When do you expect the Project to be this far?

I am really interested in using this code without breaking my computers security.

Thanks anyway for the work yet done!

[cezanne]

@Ale268 :

When do you expect the Project to be this far?

My hope answers that this project requires 4~6 months until vhci(UDE) deserves an EV certificate. 😕

[saulrh]

Most anti-cheat software complains when driver test signing is on, meaning I can't use usbip until the client drivers are signed for release.

Is there a specific list of issues that are blocking the certification process or a concrete roadmap for a production version? I'd like to see if there's anything I can do, even if I only ever did device drivers on linux and that was years ago.

[septatrix]

My hope answers that this project requires 4~6 months until vhci(UDE) deserves an EV certificate.

Would this also eliminate the need for bcdedit.exe /set TESTSIGNING ON? If so I am very eager to get this as it allows using USBIP on a windows PC with secure boot enabled.

[DocMAX]

You can use EfiGuard!

[mahdibx]

Any news on this topic? could we organize a crowdfunding if the certification is expensive?

[versaloon]

Any progress about the certification? We want to use usbip binaries in our commercial software, and can help to get the driver signed. Is there any dedicated time for the code sign certification?

[versaloon]

BTW: we plan to use usbip as PC driver for our wireless USB hardwares

[dpvdberg]

This would be great :)

[koudis]

Hi all :),

we are still waiting for stable version. How it looks, @cezanne ?

[MinHyukPark121]

Hi everyone, do we have any updates on this? Even an update on the estimate would be nice :)

[joaoabreufilho]

Hi everyone, do we have any updates on this? Even an update on the estimate would be nice (:

[TheMohawkNinja]

@cezanne any updates? Once the cross-signed cert gets implemented, I can remove the need for a hardware USB switch for my project.

[kadrim]

very intersted on this topic :-)

[sensiki]

Any news on this topic?

[alexmi256]

This would be nice to have. These are some prices: DigiCert $700USD/yr, EV sectigo $400/yr, EV certum EV - $426 Cloud based, EV certum Open Source $55/yr for OSS projects, cloud based, not EV @cezanne I'd be willing to donate something and I'm sure others would as well

[maxdd]

up

Comodo - $279/yr, EV if for 2yrs

I'm curious though, is anyone using it in a "production" or "connected" environment and still accept the risk?

[forlayo]

Any news on this ? I am happy on contributing with a EV certificate if needed..

[cezanne]

@forlayo: I would appreciate your EV certificate. However, usbip-win vhci drivers should get attestation sign at MS partner portal after the EV certificate is registered in my partner portal. But I'm not sure that an EV certificate can be registered into multiple accounts. If it's not possible, you may be asked to provide your partner account or create my account on your partner portal. Or you can contribute to sign vhci drivers yourself.

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

[lebtron]

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

I confirm this works as expected.

[MinHyukPark121]

A newly released 0.3.6-dev package has MS signed vhci drivers. I managed to acquire an EV certificate but its validation period will expire soon. Thus, another EV might be needed.

Could we know when the current EV Certificate will expire?

[maxdd]

I guess you should wrap

  Enable test signing
  > bcdedit.exe /set TESTSIGNING ON
  reboot the system to apply

in something like "if not a signed release"

[cezanne]

@MinHyukPark121 :

Could we know when the current EV Certificate will expire?

Maybe after 3 months. However, once signed package can be safely installed with no test mode even though the certificate expires. Expiration matters only for package signing.

[cezanne]

@maxdd:

in something like "if not a signed release"

Good comment. thanks.

[paulpv]

Happy to contribute to signing cert!

As an alternative, would something like EfiGuard be of any use to workaround the signing requirement in trusted environments? https://muffsec.com/blog/how-to-use-efiguard-to-disable-patchguard/

[CpServiceSpb]

If somebody send me OV sign for signing I will try to sign drivers by the sign. I did it with my OV sign successfully and drivers were installed under Win10 LTSC19 well.

[forlayo]

@cezanne if you can guide me to set up my certificate on my partner portal to sign the driver I'll be happy on help signing it for you. I've just received my EV certificate today.

[CpServiceSpb]

@forlayo if you can you can try it to your own to sign the drivers using utilities from Visual Studioand DDK and got the EV by you. Uf you doon' t have the utilities I can send you it which I signed my driver by OV on previous year.