| Windows 10 driver signing question [message #108948] |
Thu, 08 October 2015 17:16  |
mikeaudet
Messages: 476
Registered: February 2009
Location: Canada
|
Senior Member |
|
|
Hi All,
I have a dilemma that I think I've somewhat resolved, but I wanted to consult with the community about it because there is no perfect solution.
Windows 10 has changed the driver signing rules, and the changes aren't good.
Secure boot is a mechanism that checks that boot loader code is digitally signed. It was added in Windows 8.
For me to update the scherzo driver for windows 10 and support secure boot, I'll now have to buy an 'extended validation' security certificate that will cost about $600 Canadian per year. That's completely unfordable for me.
I'll also have to upload the driver to Microsoft servers for them to sign, and I'll have to agree to watch for telemetry data for bugs. That's a good thing if people agree to send telemetry data, but sending telemetry data is mandatory in Windows 10. I personally see mandatory data collection, that includes a list of all applications installed on a personal computer, as a serious privacy violation. I'd be participating in something I'm strongly against in its current form.
I can use the old cross certificate mechanism that Windows 7/8 used, but it will only work with Windows 10 if secure boot is disabled in the BIOS.
All PCs up until the new crop of Windows 10 logo PCs were required to have a BIOS option to turn off secure boot. With new PCs, this switch will be optional. It's possible that some new PCs will not have the ability to disable secure boot.
There's really no good option.
I've contacted Microsoft and asked for help, and they have refused.
There's also the SHA1 vs 2 change that's coming. If I get a new certificate, it will have to be SH2, which will only work on recently patched Windows 7 PCs. Windows VISTA won't load the driver, nor will older builds of Windows 7.
Basically, Microsoft sucks.
I'm leaning to getting a 3 year regular cross certificate and just not supporting secure boot on Windows 10.
What would you guys do?
All the best,
Mike
[Updated on: Thu, 08 October 2015 18:19] Report message to a moderator |
|
|
|
|
|
| Re: Windows 10 driver signing question [message #108950 is a reply to message #108949] |
Thu, 08 October 2015 20:09  |
mikeaudet
Messages: 476
Registered: February 2009
Location: Canada
|
Senior Member |
|
|
Hi Richard,
It's really nice of you to offer, but it's a lot of money, year after year.
I'll have to promise to watch the telemetry and fix bugs - I want to fix bugs - but what happens if the certificate expires? I can't fix the bugs then, and I've made a commitment.
Right now, turning off secure boot takes less than a minute in the BIOS of any PC. If that changes- and it might - my feeling is that we can look at the EV certificate then.
Windows 10 is so problematic from a privacy perspective, too. Should we even be using it? Does it make sense to spend a bunch of money to support something that's bad?
I really don't think Microsoft should be getting a list of all of anyone's installed applications. If someone wants to run a bit torrent client or a utility to remove copy protection to allow fair use, they shouldn't have to tell Microsoft.
Plus, there's no way to look at the data being sent back. It's all encrypted. Who knows what's in it, really?
The performance improvements of Windows 10 are in Windows 8. And the new start menu sucks so much that I had to install classic shell anyway. I could just do that in Windows 8.1, if I wanted to leave Windows 7, which I don't.
I'm pretty conflicted, though. Maybe some new certificate companies will be added to the supported list and the price will come down. Maybe we'll get to a point that we're confident there will be no changes, so one year will be enough.
I've been chewing on this for a couple of weeks. I'm really glad that we're talking about it.
All the best,
Mike
|
|
|
|
|
|
|
|
|
|
| Re: Windows 10 driver signing question [message #108954 is a reply to message #108948] |
Fri, 09 October 2015 16:46 |
|
|
I'd say whatever happens with the certificate, it shouldn't come out of your pocket. If and when the BIOS fix is no longer possible, this will affect MOST future development for PARIS, so it will be in the community's interest for you to have a certificate. So if and when that day comes I would happily host - and contribute to - a Kickestarter so that we as a community can chip in to buy it for you. Thoughts, folks?
"... being bitter is like swallowing poison and waiting for the other guy to die..." - anon
|
|
|
|
|
|
| Re: Windows 10 driver signing question [message #108956 is a reply to message #108948] |
Fri, 09 October 2015 18:56 |
mikeaudet
Messages: 476
Registered: February 2009
Location: Canada
|
Senior Member |
|
|
I just ordered a Comodo code signing certificate that will be valid for the next 3 years. It cost me about $290 CA. I'm totally fine with paying that for three years of use. The EV certificate would have been $1800. That's simply ridiculous.
I thought that Windows 8 was a disaster because Microsoft was trying to kill off the desktop and push us into a walled garden where they controlled what could be installed (while taking a 30% cut). We refused to go along, and Windows 10 now allows side loading of universal apps.
Windows 10 is about turning individual users into beta testers for high paying corporate customers. We get the patches first, and Microsoft relies on the non-optional telemetry to make sure everything works 100% before the corporate customers get it a few months later. Our privacy is just the collateral damage of their new business model. I refuse to go along.
The most infuriating part is that they could easily get what they want by making the telemetry opt-out. Most people would never change the default setting. Those that care would turn it off. Everyone would be happy. Maybe they will come to this themselves eventually.
Thanks for being so understanding and supportive, everyone.
Cheers!
Mike
|
|
|
|
The PARIS Forums
Search
Help
Members
Register
Login
Home
