In a response to a few threads without necroposting see below.
https://community.osr.com/discussion/292981/for-a-windows-10-submission-the-input-package-and-the-included-files-must-be-signed-with-sha256-sig#latest
https://community.osr.com/discussion/comment/302150/#Comment_302150
Microsoft has clarified that at this time “The Windows Hardware Partner Center only accepts SHA-256 leaf certificates when validating the signature on the driver package. The limitation only applies to the leaf [client] certificate, as higher algorithms can be used for other certificates along the chain.”
SSL.com has addressed this by using one of our other Intermediate certs that use SHA-256 to sign the leaf certificate and have replaced any certificate we are aware of that was impacted by this issue.
There was a CA/B Forum Baseline requirement that occurred where all CAs needed to change the minimum key size to 3072.
https://www.ssl.com/blogs/new-minimum-rsa-key-size-for-code-signing-certificates/
In addition to this, there were token limitations that necessitated moving to ECDSA (which was not the case for our eSigner service).
Some CAs (for consistency) were following Mozilla’s root store standards to issue p-384 signing keys using ECDSA with a SHA-384 signature.
https://github.com/cabforum/servercert/blob/main/docs/BR.md#71322-ecdsa
You can sign your driver with a non-EVCS certificate as long as an EVCS cert is associated with the Hardware Partner Center based on the wording found here .
You must have an EV certificate bound to your company to access submission features in the dashboard.To confirm the certificate that is used to identify your organization within the Partner Center, see Update a code signing certificate.After you sign in to Partner Center and you are ready to sign your submission, you can use either a standard code signing cert or an EV code signing cert. This is true for all operating system versions, not just Windows 10.
Microsoft has confirmed they will “be updating everyone once other algorithms are accepted (CA’s as well as driver developers).”
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions
If you have an EVCS cert with us and still having issues with this, please reach out to our support team using support@ssl.com or via chat for assistance.
Sincerely,
Quentin Boyer
SSL.com Support
PS: for some people using HLK, it looks like it has an issue with ECDSA altogether (unconfirmed) and we do provide an OVCS that is able to be used with HLK.
PSS: I am not a developer but have worked with clients and Microsoft’s internal team to resolve this issue.