OK, finally we’ve managed to get the new certificate. As promised, here are the details.
First, I was mightily surprised to see that they sent us the cert not on a token, but as a set of private/public key files. I thought EV was supposed to run only from a non-exportable token. Apparently, there is no such requirement. (And, yes, according to the certificate policy OIDs 2.23.140.1.3 and 2.16.840.1.114028.10.1.2, this is an EV; and it was accepted by the MS Dashboard, although I have not sent any submission yet.)
Second, and more important, the cross-certificate is, indeed, valid and active till 2025. They even attached this cross-certificate file in the archive they’ve sent us, and it’s completely identical to the one we can download from the MS site. I’ve tried signing some PNP driver and its catalog file, and installed it into Windows 7. Upon installation I’ve got a red warning about an untrusted signature (apparently, because Entrust wasn’t present in my root CA storage), but after confirming, installation finished successfully, and the driver was loaded by the kernel. Just in case, I also tried signing the driver+CAT without a cross-certificate, and, as expected, the kernel refused to load the driver.
Here is the output of signtool verify /kp /v driver.sys
(I edited out our company name and the leaf certificate’s thumbprint):
! ! Signing Certificate Chain: ! Issued to: Entrust Root Certification Authority - G2 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sat Dec 07 20:55:54 2030 ! SHA1 hash: 8CF427FD790C3AD166068DE81E57EFBB932272D4 ! ! Issued to: Entrust Extended Validation Code Signing CA - EVCS1 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sun Nov 10 17:12:49 2030 ! SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646 ! ! Issued to: [COMPANY NAME REDACTED] ! Issued by: Entrust Extended Validation Code Signing CA - EVCS1 ! Expires: Tue Apr 23 19:07:18 2024 ! SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! ! The signature is timestamped: Fri Apr 23 21:11:05 2021 ! Timestamp Verified by: ! Issued to: DigiCert Assured ID Root CA ! Issued by: DigiCert Assured ID Root CA ! Expires: Mon Nov 10 03:00:00 2031 ! SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 ! ! Issued to: DigiCert SHA2 Assured ID Timestamping CA ! Issued by: DigiCert Assured ID Root CA ! Expires: Tue Jan 07 15:00:00 2031 ! SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297 ! ! Issued to: DigiCert Timestamp 2021 ! Issued by: DigiCert SHA2 Assured ID Timestamping CA ! Expires: Mon Jan 06 03:00:00 2031 ! SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3 ! ! Cross Certificate Chain: ! Issued to: Microsoft Code Verification Root ! Issued by: Microsoft Code Verification Root ! Expires: Sat Nov 01 16:54:03 2025 ! SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ! ! Issued to: Entrust Root Certification Authority - G2 ! Issued by: Microsoft Code Verification Root ! Expires: Mon Jul 07 23:55:49 2025 ! SHA1 hash: D8FC248748585E173EFBFB3075C4B4D60F9D8D08 ! ! Issued to: Entrust Extended Validation Code Signing CA - EVCS1 ! Issued by: Entrust Root Certification Authority - G2 ! Expires: Sun Nov 10 17:12:49 2030 ! SHA1 hash: 64B8F1EDEF40D7D28602B6B9171AFF114E12A646 ! ! Issued to: [COMPANY NAME REDACTED] ! Issued by: Entrust Extended Validation Code Signing CA - EVCS1 ! Expires: Tue Apr 23 19:07:18 2024 ! SHA1 hash: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX !
Of course, by now we know that we cannot use cross-signing after July 1 for public distribution, and that there have been found a few interesting workarounds for loading drivers in the older systems. But still it’s good to know that Entrust certificate works fine. At the very least it gives us a couple more months of standard cross-signing.