Sha-384 kernel mode driver signing issue

QuentinSSL · August 31, 2021, 3:48pm

In a response to a few threads without necroposting see below.
https://community.osr.com/discussion/292981/for-a-windows-10-submission-the-input-package-and-the-included-files-must-be-signed-with-sha256-sig#latest
https://community.osr.com/discussion/comment/302150/#Comment_302150

Microsoft has clarified that at this time “The Windows Hardware Partner Center only accepts SHA-256 leaf certificates when validating the signature on the driver package. The limitation only applies to the leaf [client] certificate, as higher algorithms can be used for other certificates along the chain.”

SSL.com has addressed this by using one of our other Intermediate certs that use SHA-256 to sign the leaf certificate and have replaced any certificate we are aware of that was impacted by this issue.

There was a CA/B Forum Baseline requirement that occurred where all CAs needed to change the minimum key size to 3072.
https://www.ssl.com/blogs/new-minimum-rsa-key-size-for-code-signing-certificates/

In addition to this, there were token limitations that necessitated moving to ECDSA (which was not the case for our eSigner service).

Some CAs (for consistency) were following Mozilla’s root store standards to issue p-384 signing keys using ECDSA with a SHA-384 signature.
https://github.com/cabforum/servercert/blob/main/docs/BR.md#71322-ecdsa

You can sign your driver with a non-EVCS certificate as long as an EVCS cert is associated with the Hardware Partner Center based on the wording found here .

You must have an EV certificate bound to your company to access submission features in the dashboard.To confirm the certificate that is used to identify your organization within the Partner Center, see Update a code signing certificate.After you sign in to Partner Center and you are ready to sign your submission, you can use either a standard code signing cert or an EV code signing cert. This is true for all operating system versions, not just Windows 10.

Microsoft has confirmed they will “be updating everyone once other algorithms are accepted (CA’s as well as driver developers).”
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-drivers-signed-by-microsoft-for-multiple-windows-versions

If you have an EVCS cert with us and still having issues with this, please reach out to our support team using support@ssl.com or via chat for assistance.

Sincerely,

Quentin Boyer
SSL.com Support

PS: for some people using HLK, it looks like it has an issue with ECDSA altogether (unconfirmed) and we do provide an OVCS that is able to be used with HLK.
PSS: I am not a developer but have worked with clients and Microsoft’s internal team to resolve this issue.

Peter_Viscarola_OSR · August 31, 2021, 6:22pm

Hmmmmm… I’m going to allow this post, as it’s helpful. But it does run right up to the borderline of what we’d define as “commercial.”

Better etiquette, Mr. @QuentinSSL would have been for you to email one of us in advance to ask if your post was OK.

Peter

QuentinSSL · August 31, 2021, 7:05pm

Noted Sir.

Peter_Viscarola_OSR · August 31, 2021, 9:24pm

(and I do appreciate the definitive information… It’s always difficult out here in the community when we are left to guess. So, points for that, thanks.)

Rourke · September 1, 2021, 9:26am

@QuentinSSL said:
for some people using HLK, it looks like it has an issue with ECDSA altogether…

So basically a disclaimer that you expect some (or even all) customers that purchase your ev cert and try to use it with the HLK may fail to get it to work and ultimately must contact you to request and submit an OV cert for this task that should do the job. That does not sound nearly as smooth as what other providers offer.

craig_howard · September 1, 2021, 2:20pm

Umm … no. @QuentinSSL is stating the current progress that they have made in resolving this issue with MS, which I’ve read that others are facing, and the tactic that they used to make said forward progress. If I had a cert with company X and had the same problem I would cc: them Mr @QuentinSSL’s post and tell them to use the same tactic …

Remember, at the end of the day a) we need to be able to sign drivers and b) MS is notorious for changing the rules, playing field, goalpost locations and venues for this game. If another company has found a way to successfully accomplish a) after another MS b) surprise then I really don’t care what I need to do; buy a new cert, sacrifice a small animal, do the “crab dance”, whatever …

I personally appreciate the information that Mr. @QuentinSSL provided …

QuentinSSL · September 1, 2021, 3:55pm

For the three clients of ours that have reported issues with HLK signing, the message from HLK only indicates “unable to use the selected certificate to sign the package”. When using Event Viewer, the related event is “Could not create submission package - Failed to create signing key.” This does not give conclusive evidence as to why they are having issues.

They are able to sign .bin files and other files with their EVCS certificate using signtool.

I have suspicions but need confirmation beyond my expertise.
I have asked them to open a ticket with HLK support team to dig deeper.
These three reports only cropped up in the past couple weeks.

In the meantime, those affected have a path forward using a method that is acceptable to Microsoft.

ccaglyde · October 19, 2021, 4:50pm

I’m just now running into this - if anyone is curious the error is much more obvious from the HCK which reports the following message “System.NotSupportedException: The certificate key algorithm is not supported.” plus a stack trace (less useful). I’m making a bit of a guess that the HLK errors in this thread are the same as the HCK errors.