OK, FTDI is basically saying I have to do my due diligence and make sure I use genuine hardware.
Lets say (for arguments sake) I have 100% solid undeniable proof I got the genuine chips.
In order to make these chips work I need drivers, in this case I want the V2.12.00 drivers.
Obviously I want to be sure sure I get the genuine FTDI drivers. Otherwise my efforts could be wasted and still have disgruntled users of my product.
First of all I need a reliable source for the drivers. It seems to be
www.ftdichip.com is the place to go.
Obviously I need to check if this domain is actually owned by FTDI. So I start checking the internet DNS root servers and gobble down the chain and end up with all the contact data of FTDI. Next I check with the chamber of commerce if that address really belongs to FTDI. Fortunately this checks out and I'm confident
www.ftdichip.com is the place to go for the genuine FTDI drivers.
Next I want to download the drivers and do my due dilligence because I want to make 100% sure the drivers are not compromised or tampered with.
First I noticed albeit port 443 of their website is open for requests it does not serve me any web-pages let alone it is encrypted with a certificate I can check.
Now I must assume the download of these drivers are using an unsafe transport mechanism and I must find another way that proofs the drivers are not tampered with in transport.
For this I check if ALL binaries are digitally signed with a code signing certificate. If this checks out with a full chain of trust I can still be confident about the drivers.
First of all I noticed the file "CDM v2.12.00 WHQL Certified.exe" (which claims to contain the drivers) are indeed signed with a code signing certificate owned by FTDI.
Weird thing is the website states the driver is released at 2014-09-29 while the code signing certificate on the "CDM v2.12.00 WHQL Certified.exe" is signed at 2014-10-22.
This is proof the "CDM v2.12.00 WHQL Certified.exe" is changed after it has been released and cannot be trusted.
It does not proof the the drivers contained in it are tampered with, but it does make me wonder if it still can be proven FTDI can account for the legitimacy of all the binaries for the drivers.
In order to do this I unzip the installer and make sure all the binaries have no chance of being tampered with without me knowing about it.
First fail I see now is that the binary "dp-chooser.exe" is not code signed. This leads me to conclude that this binary was not was not authorized for release by the person/department in charge.
This leaves me no choice other than deleting this offending binary as it cannot be trusted.
But luckily I still can work around this issue for some Windows operating systems by using the "dpinst-amd64.exe" or "dpinst-x86.exe" as they are properly code signed.
That is.... if all the other binaries these two installers are installing are code signed.
As it turns out all the binaries for 64 bit Windows operating systems are properly code signed. Hurray!!!!
But my project also needs to be able to run on 32 bit Windows operating systems, so I better check them out as well.
OH NOOOOO!!!!!!! The binary "ftcserco.dll" has no code signing certificate on it.
In contrast, the binaries "dp-chooser.exe" and "ftcserco.dll" in the V2.10.00 driver download were code signed.
This leads me to conclude the V2.12.00 drivers on the FTDI website could be compromised/fake and therefore cannot be trusted.
Having said this, it raises the question where FTDI got the guts to force us to control the entire supply chain of their chips if they cannot even control their internal software development and release chain.