Digicert won't even sell me a kernel code signing cert anymore.

Mark_Roddy

Has MSFT really pulled the plug?
This is what digicert says:

On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is ending support for cross-signed root certificates with kernel-mode signing capabilities. In 2021, most of the cross-signed certificates expire.

When the cross-signed certificate that your code signing certificate is chained to expires, you will no longer be able to create new > kernel-mode digital signatures. This affects all version of Windows. To learn more about Microsoft's deprecation plans for kernel-mode digital signatures, see Deprecation of Software Publisher Certificates, Commercial Release Certificates, and Commercial Test Certificates.

Note: All existing cross-signed root certificates with kernel-mode signing capabilities continue to work until they expire. See Expiration dates of DigiCert brand trusted cross-signed certificates below._

https://knowledge.digicert.com/alerts/Kernel-Mode

Dejan_Maksimovic

I guess we will still need the ridicoulously expensive EV cert to
verify with the Dashboard, but will now have to sign drivers via the
dashboard, or they won't load?

On 6/29/20, Mark_Roddy wrote:
> OSR https://community.osr.com/
>
> Mark_Roddy started a new discussion: Digicert won't even sell me a kernel
> code signing cert anymore.
>
> Has MSFT really pulled the plug?
>
> This is what digicert says:
>
> On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is
> ending support for cross-signed root certificates with kernel-mode signing
> capabilities. In 2021, most of the cross-signed certificates expire.
>
> When the cross-signed certificate that your code signing certificate is
> chained to expires, you will no longer be able to create new > kernel-mode
> digital signatures. This affects all version of Windows. To learn more about
> Microsoft's deprecation plans for kernel-mode digital signatures, see
> Deprecation of Software Publisher Certificates, Commercial Release
> Certificates, and Commercial Test Certificates.
>
> Note: All existing cross-signed root certificates with kernel-mode signing
> capabilities continue to work until they expire. See Expiration dates of
> DigiCert brand trusted cross-signed certificates below._
>
> https://knowledge.digicert.com/alerts/Kernel-Mode
>
> --
> Reply to this email directly or follow the link below to check it out:
> https://community.osr.com/discussion/292176/digicert-wont-even-sell-me-a-kernel-code-signing-cert-anymore
>
> Check it out:
> https://community.osr.com/discussion/292176/digicert-wont-even-sell-me-a-kernel-code-signing-cert-anymore
>

Mark_Roddy

Yeah that is my take on it too. Must have EV cert for dashboard, can only get a production signing through dashboard.

Tim_Roberts

I assumed this ill-conceived policy would die under the crush of industry pressure. I'm glad I'm nearing retirement.

Mark_Roddy

You and me both. Although it obviously presents a business opportunity for
people willing to provide driver certification as a service.
Mark Roddy

Dejan_Maksimovic

I reckon MS is approaching retirement as well

On 6/29/20, Tim_Roberts wrote:
> OSR https://community.osr.com/

> I assumed this ill-conceived policy would die under the crush of industry
> pressure. I'm glad I'm nearing retirement.
> --
Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com

Sergey_Pisarev

It is still not so bad as for MacOS. With new macOS to be released soon user need to boot in to “safe mode” and explicitly switch os to “reduced security” mode to be able to load third-party kernel extensions at all. In comparison to that windows is still relatively open platform for kernel mode development.
Not that I am support this locking down.