Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Digicert won't even sell me a kernel code signing cert anymore.

Mark_RoddyMark_Roddy Member - All Emails Posts: 4,366

Has MSFT really pulled the plug?
This is what digicert says:

On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is ending support for cross-signed root certificates with kernel-mode signing capabilities. In 2021, most of the cross-signed certificates expire.

When the cross-signed certificate that your code signing certificate is chained to expires, you will no longer be able to create new > kernel-mode digital signatures. This affects all version of Windows. To learn more about Microsoft's deprecation plans for kernel-mode digital signatures, see Deprecation of Software Publisher Certificates, Commercial Release Certificates, and Commercial Test Certificates.

Note: All existing cross-signed root certificates with kernel-mode signing capabilities continue to work until they expire. See Expiration dates of DigiCert brand trusted cross-signed certificates below._

https://knowledge.digicert.com/alerts/Kernel-Mode

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 335
    via Email
    I guess we will still need the ridicoulously expensive EV cert to
    verify with the Dashboard, but will now have to sign drivers via the
    dashboard, or they won't load?

    On 6/29/20, Mark_Roddy wrote:
    > OSR https://community.osr.com/
    >
    > Mark_Roddy started a new discussion: Digicert won't even sell me a kernel
    > code signing cert anymore.
    >
    > Has MSFT really pulled the plug?
    >
    > This is what digicert says:
    >
    > On August 1, 2019, Microsoft announced the Microsoft Trusted Root Program is
    > ending support for cross-signed root certificates with kernel-mode signing
    > capabilities. In 2021, most of the cross-signed certificates expire.
    >
    > When the cross-signed certificate that your code signing certificate is
    > chained to expires, you will no longer be able to create new > kernel-mode
    > digital signatures. This affects all version of Windows. To learn more about
    > Microsoft's deprecation plans for kernel-mode digital signatures, see
    > Deprecation of Software Publisher Certificates, Commercial Release
    > Certificates, and Commercial Test Certificates.
    >
    > Note: All existing cross-signed root certificates with kernel-mode signing
    > capabilities continue to work until they expire. See Expiration dates of
    > DigiCert brand trusted cross-signed certificates below._
    >
    > https://knowledge.digicert.com/alerts/Kernel-Mode
    >
    > --
    > Reply to this email directly or follow the link below to check it out:
    > https://community.osr.com/discussion/292176/digicert-wont-even-sell-me-a-kernel-code-signing-cert-anymore
    >
    > Check it out:
    > https://community.osr.com/discussion/292176/digicert-wont-even-sell-me-a-kernel-code-signing-cert-anymore
    >
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,366

    Yeah that is my take on it too. Must have EV cert for dashboard, can only get a production signing through dashboard.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,596

    I assumed this ill-conceived policy would die under the crush of industry pressure. I'm glad I'm nearing retirement.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,366
    via Email
    You and me both. Although it obviously presents a business opportunity for
    people willing to provide driver certification as a service.
    Mark Roddy
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 335
    via Email
    I reckon MS is approaching retirement as well :)

    On 6/29/20, Tim_Roberts wrote:
    > OSR https://community.osr.com/

    > I assumed this ill-conceived policy would die under the crush of industry
    > pressure. I'm glad I'm nearing retirement.
    > --
    Kind regards, Dejan Maksimovic.
    FS Lead: http://www.alfasp.com
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 259

    It is still not so bad as for MacOS. With new macOS to be released soon user need to boot in to “safe mode” and explicitly switch os to “reduced security” mode to be able to load third-party kernel extensions at all. In comparison to that windows is still relatively open platform for kernel mode development.
    Not that I am support this locking down.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,035

    It is still not so bad as for MacOS

    MacOS is the worst, when it comes to syste, software development. Crazy annoying.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE