[RyanRies]

You can disable driver signing enforcement if you want to install drivers without having them signed.

Driver signing enforcement enhances the security of the OS by preventing malware from installing kernel mode drivers that would hypothetically have unlimited access to the device without the consent or knowledge of the user.

There really is no downside to this.

[devwastaken]

afaik you cannot just 'disable' it. You have to disable it every time you boot the computer, and secure boot has to be disabled. I would agree with you if microsofts signing process was 21st century and anyone could do it through proper channels but last time I checked it's archaic and targetable by anyone wanting to make a virus anyways. https://news.ycombinator.com/item?id=17195758

[eropple]

> You have to disable it every time you boot the computer

This is straight-up untrue. You disable it to install the driver. It's fine after that.

[ivank]

The downside is having to pay hundreds of dollars for an EV code signing cert just to submit a driver to Microsoft for Microsoft to sign.

[RyanRies]

If you're a professional or part of a professional organization, this is a small hurdle to clear and most would agree that the increased security posture for the end user is worth the inconvenience/price for developers.

If you're an amateur/hobbyist/tinkerer and just want to play with kernel driver development, then you can disable the signing enforcement.

Anyway I'm sorry for derailing from the actual point of this post - it's a very cool project!

[vetinari]

Professional organization vs hobbyist is a false dichotomy. We have entire operating systems that would be classified as made by hobbyists, yet are used by "serious organizations".

It also means, that we will not get some nice things, we would otherwise have. See also iSCSI initiator or FUSE for macOS. They have same problem - need to be signed by the right certificate, so nobody bothered.

Other systems, when they are running in Secure Boot mode, also accept kernel modules signed by the same keys, that are enrolled into UEFI. Why can't Windows and Mac do the same?

[TomMarius]

> We have entire operating systems that would be classified as made by hobbyists, yet are used by "serious organizations".

Which ones? Linux certainly isn't made by hobbyists today. It used to be, but that was a very long time ago.

[Retric]

Why Windows of course. ba dum tish

[userbinator]

Why can't Windows and Mac do the same?

Because of corporate control.

[0x0]

Fuse for macOS is signed by its developer, not sure what you mean "not get some nice things"? Or did you mean for windows? (Both windows and macOS require paid developer certificates to load kernel drivers)

[vetinari]

I meant both.

I wasn't aware that FUSE for Mac is signed nowadays. When I was checking it few years ago, it was an issue.

The iSCSI terminator for Mac still has the same issue. The code is on github, making it work is the user problem.

[megous]

> Anyway I'm sorry for derailing from the actual point of this post - it's a very cool project!

Yeah cool project, yet if you'll read the issues on github, you might realize, that at some point no one will be able to use it hassle free, when the author stops renewing a code signing certificate. And for a hobby project, I wouldn't blame him. Some people can't use it hassle free now, because of signing issues.

I ceratinly can't install it on my gf's notebook, so that she can play audio over my speakers, because it would stop working after each reboot.

[eropple]

That's not how it works at all--I run unsigned drivers on some of my machines all the time because occasionally user-hacked drivers work better with this or that video capture device. You have to reboot to install an unsigned driver; it works just fine afterwards.

[megous]

I'll try, then. Thanks.