Signing issue for Windows version driver

[kazemnasab]

I modified the VeraCrypt driver code for personal work and want to use it on my own systems (no need to boot Windows into "Test Mode"). how do it?

[idrassi]

To use your modified VeraCrypt driver on your systems without needing to boot Windows into "Test Mode," you will need to get your driver signed and certified by Microsoft. Here are the steps to achieve this:

1. Obtain an EV Code Signing Certificate:

   • Obtain an Extended Validation (EV) Code Signing Certificate from a trusted Certificate Authority (CA) such as DigiCert, GlobalSign, or Sectigo. This certificate is necessary for signing drivers that will be submitted to the Windows Hardware Dev Center Dashboard.

2. Sign the Driver with Your EV Certificate:

   • Once you have the EV Code Signing Certificate, modify the sign.bat file in the VeraCrypt source code to use your new EV certificate to sign the modified VeraCrypt driver.

3. Register as a Hardware Developer:

   • Create an account on the Hardware Dev Center and register as a hardware developer: Windows Hardware Dev Center.

4. Prepare the Submission Package:

   • Prepare a submission package that includes your signed driver and an INF file. Follow the guidelines provided by Microsoft for creating this package.

5. Submit for Attestation Signing:

   • Submit the package to Microsoft through the Dev Center Dashboard for attestation signing. Microsoft will review your driver for compliance.

6. Download the Signed Driver:

   • After Microsoft reviews and approves your driver, they will provide a signed version. This process may take a few days the first time since a manual review will be needed.
   • Download the signed driver from the Dev Center Dashboard.

Please be aware that EV code signing certificates and Microsoft signing are typically limited to organizations to prevent abuse. Therefore, you will need to use a company for this process. Creating a company is relatively easy nowadays if you do not already have one.