This discussion was created from comments split from: How to use .inf file of a driver to pass tests..
Hello everyone!
I really need your help to understand what changes were made in driver signing process in Microsoft. Please, help me!
I have to sign drivers for win7, win8, win8.1 and win10.
I will eplain my steps, how I’m trying to do this thing.
-
I have certificate given to my company by Digicert (Issured to: My_company_name, Issured by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1), this is the last certificate in chain (Root certificate: Issured to: DigiCert Trusted G4 Issured by: DigiCert Trusted G4, **Intermediate certificate: **Issured to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 _Issured by: _DigiCert trusted G4)
-
I sign .sys with signtool: signtool.exe sign /v /sha1 “thumberprint_of_my_certificate” /tr http://timestamp.digicert.com /td sha256 /fd sha256 filePath - it is signed successfully, but when I try to verify this way: signtool.exe verify /v filePath - I get an error SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. What does this error mean? Do I have correct certificate? I tried to test .sys and I installed my drivers to all systems. Everything is good for windows 10, but I got an error on windows 8. It’s written that driver is unsigned, but it is signed with certificate from last step!
-
Then I decided to pass HCK tests (for win8), I finished them. But on the last step I want to create signed package .hckx, I choose Use the certificate store and my certificate. And now I have another problem! HCK Studio encountered a critical failure, in details System.NotSupportedException: The certificate key algorithm is not supported. at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
What am I doing wrong? What changes are made in 2021? Is this certificate from step 1 EV one?
There were HUGE changes made in 2021.
First, it has NEVER been possible to do what you describe in your “step 2”. You could never just sign your own driver by itself. Prior to Windows 10, you could sign your driver using the appropriate cross-certificate, and that would work fine. What changed in 2021 is that Microsoft unwisely terminated the cross-signing program. It is no longer possible to self-sign your drivers at all. You must get a Microsoft signature. You can do that through WHQL/HCK/HLK, or you can do “attestation signing”, which works for Windows 10.
However, for some reason, you got an SHA384 certificate (even though you specified sha256 on your command line). To my knowledge, that’s not supported by any driver signing path. They do SHA256 at most. I suspect that’s what HCK is complaining about. Kernel code-signing requirements are different from user-mode code-signing requirements. If you’re going to do driver signing in the future, you need an EV (“Extended Validation”) certificate, because that’s the only way to create the dashboard account you need to make WHQL or attestation submissions.
1 Like