[OpenAFS] Microsoft Changing Digital Signature Requirements

Jeffrey Altman jaltman@your-file-system.com
Sat, 28 Mar 2015 12:42:56 -0400


This is a cryptographically signed message in MIME format.

--------------ms070304090608010109090705
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

This e-mail is intended as a heads up to the OpenAFS end user community.

As per

  https://technet.microsoft.com/library/security/2880823

Microsoft is deprecating the use of the SHA-1 hashing algorithm to sign
binaries after 1 Jan 2016.  After that point SHA-256 will need to be used=
=2E

As documented

  https://support.microsoft.com/en-us/kb/2763674

it is not possible to run applications on Windows 7 SP1 / Server 2008 R2
SP1 and earlier that are signed using a SHA-256 certificate.

Since last Fall Microsoft has been attempting with mixed success to
update Windows 7 SP1 and Server 2008 R2 SP1 (but not earlier OSes) to
support SHA-256 and Extended Validation certificates. The most recent
attempt was issued this month as update 3033929.

However, this update fails to permit booting of the system when third
party boot loaders are used.  For example when dual booting Linux.


https://answers.microsoft.com/en-us/windows/forum/windows_7-windows_updat=
e/kb3033929-fails-to-install-and-cause-a-minor/4c56d5d5-a66c-4865-8ccb-d3=
6f7c314c33

Microsoft has not publicly announced but it is known to those in the
Windows kernel development community that major changes to driver
signing are coming for Windows 10 RTM.  In particular three requirements
will go into effect when Windows 10 exits preview.

1. SHA-256 Extended Validation certificates must be used for driver
   signing on Intel platforms

2. Organizations will not be issued cross-signing certificates by
   Microsoft and all drivers must be uploaded to Microsoft for
   cross-signing

3. Only parties that have been approved and are actively involved
   in the Microsoft system quality program are permitted to submit
   drivers for signing

These rules unify the driver signing requirements for Windows on Intel,
Windows on ARM (aka Windows Phone), and Xbox One.

As a side-effect of the deprecation of SHA-1 the approved Certificate
Authorities that issue Authenticode certificates are no longer issuing
renewals for SHA-1 and EV certificates are only available as SHA-256.

It is not known if there will be a certification requirement for file
system drivers as there is for other drivers.

What does this mean for the OpenAFS community?

Due to the new requirements it will no longer be possible to issue one
set of installers for all operating systems.  In particular, XP, Server
2003, XP 64, Vista, Server 2008, Windows 7 and Server 2008 R2 will not
have SHA-256 support are no longer going to be able to install new
OpenAFS releases.

Systems that are running Windows 7 SP1 and Server 2008 R2 SP1 without
the latest updates are not going to be able to install new OpenAFS releas=
es.

Up to this point all Windows installer packages have been built and
signed by Your File System Inc.  These packages have been distributed
via the openafs.org web site.  This is going to change.

The new requirements from Microsoft for SysQual participation and
signature validation will no longer permit Your File System Inc. to sign
a driver and reference openafs.org as the source.

This week I will be attending the IFS PlugFest at Microsoft and will
find out the missing details regarding how drivers will be submitted,
what test / validation must be provided to Microsoft, and how the signed
drivers will be retrieved.  I will also find out whether one of these
new Windows 10 EV certificated based signed drivers cross-signed by
Microsoft will work on pre-Windows 10 systems.  There is a strong
likelihood that installers for Windows 10 will not be compatible with
earlier OS revisions because of the driver signing requirements.

It is not known whether a driver installed on a Windows 7 or Windows 8
system using a SHA-1 certificate and the existing cross-signing
mechanism will continue to work after an upgrade to Windows 10.  My
guess is "yes", but only if the driver was signed before the Windows 10
RTM date.

Windows 10 RTM is expected to be issued some time over the Summer.  Your
File System Inc will continue to provide Windows installer packages to
its customers and the community via the

  https://www.your-file-system.com

website.  It will no longer produce installers using the out of date
in-tree packaging.  Instead the unified MSI packaging with embedded
Heimdal assemblies will be the only version of the installer for OpenAFS
binaries signed by Your File System Inc.

I will provide additional details as I obtain them.

Jeffrey Altman
Your File System Inc.





--------------ms070304090608010109090705
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINXTCC
BkIwggUqoAMCAQICEDirAC//rpa3Vv85Wvtd5xswDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0
aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTExMDkwMTAwMDAwMFoXDTIx
MDgzMTIzNTk1OVowgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxuwn
/R1j9DsdisHTHMjIgoa2uEqGkqqBXHLKMA0vnkEiVzAhJZCao/SsKsaIF4ZhchN2LuwDyyeb
jyCAN+DkitpVplAP/LlcI2mJQqG6H6/vDvmkyQrx+DeyxtmSSq5937hEH5u6P4wG/tgjT0hR
I2pghKjuJy9g35byGiqMPI8AzE/L+iCOvDX24fCatgXz/B0/xhR7DtryBeTTgwKmxWlwtKnk
VunbHVz0pjbia7UeKi3cvrvuOgSwMAitX2hsxr0GloiE5+apZC28ODC7iCbDZ2ZmtLR3+cCh
xw5y72bi5bnK4POFdzWY3tQcsP5mceI4y258T0BV65fZqBge7QIDAQABo4ICRDCCAkAwOAYI
KwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcGtpLW9jc3AudmVyaXNpZ24uY29t
MBIGA1UdEwEB/wQIMAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsG
AQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw
Oi8vd3d3LnN5bWF1dGguY29tL3JwYTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVZlcmlTaWduTVBLSS0yLTk3MB0GA1UdDgQWBBSt+cOTci21uShh5KTXYNXE
Cl4aATCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy
aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT
MShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD
BgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQADggEBANaP
wdqbiPKzbE0fWC+6AVFddMFG6MO4e5/WQPHv/zK6iWvADjRDn6SZ5qTwXUgzYoWFYf4jiCKM
YJsrnGVJlMSiOCRIpVylUEto6WIip5PomSJuPVu7EEIOH0x1RzRWCY/4vYw881y70pZwVHBi
Te/REL6dSCxe7IZrB4LwPeElJygs4BZ2HrP95WKW0oo9Xyuu+1zCE7dlY8s0dkOf1oeZq26t
lcEAP0Yngf813iMOQ9wUXzL5yinvwlIw9ZnduYH4OiUgjYJo8rkhhXRmBOGGORYy8i3WKqjJ
3tkAAk/jGCDFpYFWtpXe04Kt+HslvmR8LqC6cCz4+XXidE0HbYQwggcTMIIF+6ADAgECAhAW
xDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv
cmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMg
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNDAeFw0xNDEyMTgwMDAwMDBa
Fw0xNTEyMTkyMzU5NTlaMIHOMS4wLAYDVQQDDCVQZXJzb25hIE5vdCBWYWxpZGF0ZWQgLSAx
NDE4ODgyMzg2MTAyMSswKQYJKoZIhvcNAQkBFhxqYWx0bWFuQHlvdXItZmlsZS1zeXN0ZW0u
Y29tMQ8wDQYDVQQLDAZTL01JTUUxHjAcBgNVBAsMFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEf
MB0GA1UECwwWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEdMBsGA1UECgwUU3ltYW50ZWMgQ29y
cG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCteTFLbuPm2vx85lH2
Y6LHdMIqcKQPN9m4XYVTe0L8ZvMvnJ1YQ720ET52CF18RYdTc4to92+ffdmjWlBedK4YtLam
htsUkJ6WL3krwNVTYfeej0wgF9kVQ2FI8XTNngxnJ2CRkQX4Z9/1TI4wTkSNcAw5T0Y2HKM9
4p7wAJOefl+3oPwxXn338w8T7LsfwS9FOADZ8uRItv/J7S8BJEP0XtjZZlBoSyqQ4qxl5PtI
uybHVdwoo2PlK8LxU6r8Vcje1+OXmc5VoCBlXiYDWHl/wSDtZEWR6431/az1Z45n1AHHber2
G+Ijb0nF4RLiiFMkyJl3qx+46wqcqWrjrRxDAgMBAAGjggMRMIIDDTAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwHQYD
VR0OBBYEFBUlv/9jizZz4uwaFtPzwdX6FsqwMCcGA1UdEQQgMB6BHGphbHRtYW5AeW91ci1m
aWxlLXN5c3RlbS5jb20wHwYDVR0jBBgwFoAUrfnDk3IttbkoYeSk12DVxApeGgEwggErBggr
BgEFBQcBAQSCAR0wggEZMIIBFQYIKwYBBQUHMAKGggEHbGRhcDovL2RpcmVjdG9yeS52ZXJp
c2lnbi5jb20vQ04lMjAlM0QlMjBTeW1hbnRlYyUyMENsYXNzJTIwMSUyMEluZGl2aWR1YWwl
MjBTdWJzY3JpYmVyJTIwQ0ElMjAtJTIwRzQlMkMlMjBPVSUyMCUzRCUyMFBlcnNvbmElMjBO
b3QlMjBWYWxpZGF0ZWQlMkMlMjBPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBOZXR3
b3JrJTJDJTIwTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkMlMjBDJTIwJTNE
JTIwVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3Br
aS1jcmwuc3ltYXV0aC5jb20vY2FfNTYxYzEwMzY5MGM5N2E2OTI0N2EwZWYwNzFhYzgxYWYv
TGF0ZXN0Q1JMLmNybDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcBMFIwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cu
c3ltYXV0aC5jb20vcnBhMCsGCmCGSAGG+EUBEAMEHTAbBhJghkgBhvhFARABAgIEAYbHzm8W
BTEwOTIyMDkGCmCGSAGG+EUBEAUEKzApAgEAFiRhSFIwY0hNNkx5OXdhMmt0Y21FdWMzbHRZ
WFYwYUM1amIyMD0wDQYJKoZIhvcNAQEFBQADggEBAJIvoMatM56/QjaVAlEUbeWZNOPkwuiC
gaaekWJi1h33fAVfdF+WZqh7dF4hBNalyPuxRcyZX7HxuPyBc3ajDCqew9MlmCJ3Cm4Co3fZ
Yh50OX4jnem2RmpHeKbJW6zUjZcAGqV6DPMl04kgrI2whJX7729HoRyUPwZS7CZSRFZO147X
2+/JogDYKffa/+q5AwgrHYvdECHxc3Iz9KnHSmit+DhWS9t+XxE0gHr3sW7zwcQ/GYyrJ3s3
VdWHTjM+3iGFeTOI06h1aBgFR/+8fTmuZXZz9+OdWVar0Crt9bn0cFN3u00Q6YAyjYhRnbXy
zYVIOS4oJmRoK79p/xodeDUxggRSMIIETgIBATCBuzCBpjELMAkGA1UEBhMCVVMxHTAbBgNV
BAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3
b3JrMR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFudGVj
IENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCEBbEMEm4oBwlVrtv5MmH
C8QwCQYFKw4DAhoFAKCCAmswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTUwMzI4MTY0MjU2WjAjBgkqhkiG9w0BCQQxFgQU38gUNQK2q/DzOGkwULF80cA7
S30wbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3
DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0D
AgIBKDCBzAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3lt
YW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAc
BgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3Mg
MSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQFsQwSbigHCVWu2/kyYcLxDCBzgYL
KoZIhvcNAQkQAgsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBD
b3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2
aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0AhAWxDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEB
AQUABIIBAJazHCoRSnC8l/dOaynaNxz6Cjon0Xzz1kdZXDJ2xN7sgqLoWvlT+J4MjjVNHEwT
/Ey5UKyCF4KrBOIFf0OoTsyVFYoE1cUt8/lWDP0GGr+X1g1Jp9BxBfSUZZYHNfmEQOP/Ui7V
QaKpimo0Kg8fI+gfd66T3nj6Iprjwb/7PGFlWkIdoyHdFqz3eb3m4gFu13Vn4Dqjb9MSB/Wp
ldI1ZxgvWQ2oVg+bsLVHgQPXsscRJHOqOfNVKzP2+M1HQG/3ERiIig2hkNib8QZzwtHhr4ZS
Bg0yCyzHLH4YBGWcJ5LTdXUgOdrfoRgPemGCcr9lU5IBCSkCy1EyHkiSJ+0rkfUAAAAAAAA=
--------------ms070304090608010109090705--