Hello,
Last week I came across this link:
https://knowledge.digicert.com/alerts/Kernel-Mode.html
It suggests that as of April 2021 the notion of cross-signing certs will no longer be supported. Instead, all signing will be performed by Microsoft. As we all know, currently, the process involves signing a binary locally with our own cert, then uploading the file to Microsoft’s portal where it gets a second signature from Microsoft. During the initial portal setup, we have to sign a test binary with our local cert, but that local cert is never directly given to Microsoft.
Does anyone know how all of this will work after April 2021? I recently renewed my cert for 3 years but was able to get the cert provider to issue a partial refund for 2 years worth. They told me “Microsoft has not yet disclosed how this will work, but it won’t involve a cert from us”. Is that true?
-JT
Microsoft announced this last summer, and we raised a hue and cry in this forum. I ASSUME the policy will be rescinded based on negative industry feedback, but I have not heard a followup. Unless they change the attestation process so that it signs for older operating systems, the policy they have announced is unworkable. It would prevent us from releasing binaries for systems prior to Windows 10.
Technically speaking, you don’t have to sign your binary before submitting it to Microsoft. You don’t get a second signature – they replace yours with theirs. You DO have to sign the cabinet that you submit, and that certificate has to be one that is registered with your dashboard account. And, of course, you need an EV cert to create and maintain your dashboard account. So, you will still require an EV certificate, even if this goes into place.
Thanks for responding, Tim.
I’m not clear on what you mean by “you don’t get a second signature - they replaces yours with theirs”. I see that happening on the .cat file since it is a non-PE file which can only contain a single signature. But on the .sys, the version I download after the attestation signing completes has both my signature and Microsoft’s. Did I misunderstand your comment?
-JT
The CAT file can handle multiple chains, but they throw away your CAT file and build a brand new one. You don’t actually have to include one in your package, just like you don’t have to sign the binaries. I didn’t remember that they left the binary signatures either, but perhaps I misremembered.