Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Future changes to code signing certificate issuance

Alan_AdamsAlan_Adams Member - All Emails Posts: 30

Not a driver development issue per se, but just a heads-up for changes we can expect to see in the not-too-distant future regarding the signing we do for drivers.

This latest Ballot CSC-13 is advancing that the HSM (hardware security module) requirement will now be for "all" code signing certificates, starting with new certificates issued after November 15, 2022, and no longer limited to just EV certificates.

Currently on the Microsoft Partner Portal we're allowed to associate "normal code signing certificates" in addition to "EV code-signing certificates". Several of us had leveraged this "normal code signing certificate" association capability in order to continue using them as part of our actual product build and signing automation. Due to there being less limitations in making the private key available to the signing automation, as compared to the EV certificate which required physical attachment or other secured access to the HSM-stored certificate keys.

So if you hadn't already started designing your build or signing automation to depend on pulling the code signing certificate from an HSM, now might be the time to start.

Meaning, if you are already signing your submissions and/or product using your EV certificate, presumably "no further change needed." Since EV certificates are already required to be on an HSM, and your signing process is already dealing with those limitations.

But if you had been continuing to leverage a non-EV-based signing process which used software-only private key storage, that approach likely isn't going to continue working after your next certificate renewal. Because even non-EV code signing certificates will be required to issue and access through HSM-based devices.

Note this is not a statement of "you must begin using EV certificates for code signing." This is just saying that one of the current practical differences between an EV code signing certificate and a non-EV code signing certificate will be going away, and both types will be "just as difficult to use" as part of your signing process. For reasons which are intended to protect your code-signing certificate from compromise, of course.


  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,996

    Thank you, Mr. @Alan_Adams ... That's very helpful.

    It's difficult for me to understand why the HSM requirement would be applied to "all" code signing certificates. This creates a really major hardship for distributed development organizations. It's just mind-boggling to me... don't folks who are approving this know anybody who works at a large, distributed, corporation where sending your eToken around via UPS isn't a very workable plan?

    Or maybe I don't understand the fullness of how an HSM can be leveraged remotely.

    Regardless... thanks Mr. Adams.


    Peter Viscarola

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 467
    via Email
    Big companies have remotd HSM use worked in long time ago.
    I had to implement one such in a company that barely uses signing.
    But it was minimalistic! It just had to satisfy Security dpt, not much in
    terms of usability at all.

    Current company has remote signing automated already, for a decade I reckon.
  • Alan_AdamsAlan_Adams Member - All Emails Posts: 30

    Agreed, and we too have had "remote signing" automated for quite some time, too. But it had never involved or required an HSM to do it, until now in the near future.

    We could have been using an HSM all this time, but since it wasn't required, we didn't take the extra step. Our need to sign with the EV certificate has been minimal, and was simply performed manually whenever UEFI signing, LSA shim signing or an updated SignableFile.bin was needed for the portal.

    Now we essentially just have to decide whether to plug stand-alone HSMs locally into each of the cluster nodes backing our remote signing services, versus standing up a networked HSM in several geographic locations for those nodes to utilize instead. But no change for the end-users of those remote signing services, either way.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online