@CaptainFlint said:
@henrik_meida
If the cross-certificate expires in April, Microsoft does not have to do anything, they just need to not issue another cross-certificate. When you sign a driver, you must specify a cross-certificate via the /ac flag in signtool. If the cross-certificate is expired when you are trying to sign the file, it will not be accepted by signtool, and your driver will not have a certificate chain ending up in the Microsoft root.
In short, for the driver signature to be valid, all of the: main certificate, CA certificate, cross-certificate, and any other intermediate certificate, if any (like in Globalsign, which have additional R3-R1 step) - must be valid on the date when you perform the signing. This validity is verified by a timestamp signature. If you don’t timestamp the file, then it is considered valid only until any of the certificates listed above expires.
Sorry seems like if you edit your comment too many times you can’t post in the same thread anymore, so i couldn’t post the answer anymore
This is the cross certificate chain of a signed file (used signtool verify /kp /v) :
File is not timestamped.
Cross Certificate Chain:
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 09 06:33:03 2025
Issued to: COMODO RSA Certification Authority
Issued by: Microsoft Code Verification Root
Expires: Sun Apr 11 15:16:20 2021
Issued to: COMODO RSA Extended Validation Code Signing CA
Issued by: COMODO RSA Certification Authority
Expires: Sun Dec 12 13:59:59 2029
...
So what you’re saying is that after Sun Apr 11 15:16:20 2021, non timestamped drivers that are cross signed with this certificate will not load, and after Sun Apr 11 15:16:20 2021 we can’t sign with it using timestamp either, because the second one in the chain has expired, correct? if so, then even signing user mode apps would not be possible with this cert, would it?!