@“Peter_Viscarola_(OSR)” said:
That appears to be the case, yes.
I’m working feverishly to pull-together a post on the state of cross signing for down-level OS support (such as Win 7) to follow up what I wrote back in October.
Of course this doesn’t help you on Win 10.
Stay tuned,
Peter
Hi Peter
I came upon this thread, and it got me really confused, so i contacted Entrust, and it seems like this in fact is not True, and Entrust just like other CAs will not be able to give code signing EV certificates that can be used to cross sign drivers until 2025, and no matter what it seems like everyone will have to go through Microsoft Hardware Dev center to get their drivers signed, but please correct me if I’m wrong. This is the answer that i got :
“”“”"
I believe this all started with this post from Microsoft, https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates. This post calls out a cross-certificate to root Entrust.net Certification Authority (2048) which expires 15 April 2021. The issuing CA was L1D, which stopped issuing certificates at the end of 2016 due to SHA-1 issues. Those certificates did have a kernel-mode EKU. All of those certificates have expired, so kernel-mode code signing has already stopped.
Since mid-2015 all SHA-2 code signing certificates are issued from our OVCS or EVCS issuing CAs. These issuing CAs are subordinate to Our G2 CA cert. G2 was also cross-certified by Microsoft. If a customer wants to have kernel-mode code signing, then the code must be signed by both Microsoft and the customer using an EV Code Signing certificate, see https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#f-windows-10-kernel-mode-code-signing-kmcs-requirements. More details are found here, https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/.
All of this is not new, but I assume that Microsoft put out the notice to kill the old kernel-mode code signing. This did not impact Entrust, since we had already stopped issuing the certificates and they should have been expired at the notice time.
Note, we only started issuing EV Code Signing certificates in 2015 to allow our customers to submit code to Microsoft for kernel-mode signing.
“”“”"
So it seems like all EV certificates that CAs issue will only be useful for submitting drivers in Microsoft Hardware dev center, and nothing more ( in terms of kernel driver loading), but if anyone knows anything else, please let me know.