Wireshark-dev: [Wireshark-dev] Windows driver signing certificate purchase decision for WinPcap
From: Yang Luo <[email protected]>
Date: Tue, 21 Jul 2015 10:15:54 +0800
Hi list,

There's only 8 days left for Win10 RTM. It seems that both WinPcap and Npcap need to decide which kind of Windows driver signing certificate to buy. There are two kinds of certs: EV cert and non-EV cert.

AFAIK, I think we don't need to buy an EV cert yet, as EV cert is complicated to use (has to use a hardware key) and much more expensive. You should have found out that current Npcap driver CAN be successfully installed into Windows 10 Insider Preview 10240 x64 ( which is a candidate for Win10 RTM) WITHOUT disabling "Driver Signature Enforcement". The reason turns out to be: "To ensure backwards compatibility, drivers which are properly signed by a valid cross-signing certificate that was issued before the release of Windows 10 will continue to pass signing checks on Windows 10." (see for details: http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/04/01/driver-signing-changes-in-windows-10.aspx). My English is not that good, but I think this sentence means that if you buy a non-EV cert before Win10 release (AKA 2015/7/29), you can use the cert to sign a driver to any platform including Win10 until it expires. So you can just buy a 3-year long cert before 7/29 and use it to sign any drivers for these 3 years. 3 years later, we have no other choice but to buy an EV cert, but who knows whether Microsoft would change its driver signing policy again then?

Am I understanding it right?