@Alan_Adams said:
@john_smith1978 said:
I believe this all started with this post from Microsoft…
Lots of interesting information there, and appreciate it being shared. At least to my reading, Entrust’s info there ultimately leaves the main question unanswered, though. Since our “big confusion” was not regarding the “Entrust.net Certification Authority (2048)” cross-certificate and the Entrust certificates it applied to.
The response confirms all Entrust SHA-256 code signing certificates after 2015 are issued from CAs subordinate to the G2 CA. And we know the G2 CA does have a Microsoft cross-certificate that doesn’t expire until 2025, which this response from Entrust also acknowledges “G2 was also cross-certified by Microsoft”.
Which continues to beg the question: If I have an extended-validation SHA-2 code signing certificate issued by Entrust in 2016 or later, does this work today with the Microsoft cross-certificate for Entrust G2? Which in turn would imply that it would continue to work beyond 2021?
It seems like after the “G2 was also cross-certified by Microsoft” statement, the Entrust response switched to “the Microsoft party line” in which Dev Center is the only answer; without addressing the fact that G2 still has a valid cross-certificate.
Maybe someone else reads that differently, as you also apparently did. Is there anything except Entrust’s statement of “If a customer wants to have kernel-mode code signing, then the code must be signed by both Microsoft and the customer…” that led to your conclusion of “all EV certificates that CAs issue will only be useful for submitting drivers in Microsoft Hardware dev center”?
Because that’s what seems to be currently missing from my reading of it. The “why” this would be true.
edit: Removed reference to organization-validation certificate, since Entrust.com confirms those do not support kernel-mode code signing.
Hi Alan,
Yeah their answer confused me as well and i am still not really sure if i got my answer or not. although they did emphasize that we have to go through Microsoft hardware lab to sign drivers from now on, so again, very confusing.
I suggest other people start contacting them as well, maybe if enough people started to ask them questions they clarify things ones and for all…