Github Actions workflow to create exe/msi package, with valid driver signature

[bpetit]

Procedure to sign the driver has been validated.

We now have to:

• confirm this procedure with a valid/paid certificate => ensure that installation is smooth then (no warning)
• automate the creation of a signed msi/exe + sharing it for each tag/release
• automate testing the installation on a windows server machine => Github Actions workflow

[TheElectronWill]

I'm curious to see how you get the driver's certificate. Do you need to pay something to Microsoft every year?

[adelnoureddine]

Hi @bpetit, is there an ETA when the driver will be signed, and therefore easier to deploy as an msi/exe?

[bpetit]

Hi,

It's a matter of days now

[bpetit]

@TheElectronWill yes you need to pay for an EV certificate with a microsoft partner, then sign an hlkx archive you get from hlk studio running tests on your driver, then send it to MS.

It was a long journey, I'll try to document that somewhere.

[adelnoureddine]

Does this mean that Hubblo/Scaphandre or the community will not provide a signed installer for the driver to use everywhere?
i.e., like Intel Power Gadget where the user won't have to worry about signatures.

[bpetit]

We will provide for sure an installer containing both scaphandre and the signed driver (exactly like Intel Power Gadget that includes a userland software and a signed driver).

We will also (and just did on the 0.0.4 release page) publish the signed .sys/.cat files of the driver (+unsigned .inf file), that anyone could embed in an installer.

Providing a package with only the driver inside is not a priority however, but forking the iss config file available in the scaphandre repository one could make a new iss config only embedding the driver and create a specific installer.

[adelnoureddine]

Thanks @bpetit.