Skip to main content

 none
Query on Code signing certificate for Kernel mode drivers (32/64 bit) RRS feed

  • Question

  • Hi,

    We are procuring code signing certificate for signing User mode and Kernel Mode (32/64 bit device drivers) Software for all Windows OS version.

    Target Platform : Windows 7, 8, 10,

                                Windows Server 2012, Server 2016 and Server 2019


    Code signing certificates can be based on SHA1 or SHA256 standard.
    As per information from net, SHA256 need to be used for code signing and SHA1 will be obsolete .

    We are targeting all Windows platform starting with Windows 7.
    Please advise which Code signing Certificate to take i.e. SHA1 or SHA256.

    Thanks,

    Raphel

    Tuesday, October 1, 2019 7:36 AM

Answers

  • The recommendation is to sign with SHA256, since Win7 with patch also support SHA256, and SHA1 is being deprecated.
    Tuesday, October 1, 2019 9:22 PM
    Moderator
  • If you intend to distribute drivers for Windows 10, then there is no choice.  You must procure an EV (extended validation) certificate so you can create a Microsoft Hardware Dashboard account.  You cannot sign your own drivers; they must be signed by Microsoft, either through the WHQL process or through "attestation signing".  Both of those are done through the Hardware Dashboard.

    All EV certificates are SHA256.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Wednesday, October 2, 2019 4:29 AM

All replies

  • The recommendation is to sign with SHA256, since Win7 with patch also support SHA256, and SHA1 is being deprecated.
    Tuesday, October 1, 2019 9:22 PM
    Moderator
  • If you intend to distribute drivers for Windows 10, then there is no choice.  You must procure an EV (extended validation) certificate so you can create a Microsoft Hardware Dashboard account.  You cannot sign your own drivers; they must be signed by Microsoft, either through the WHQL process or through "attestation signing".  Both of those are done through the Hardware Dashboard.

    All EV certificates are SHA256.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Wednesday, October 2, 2019 4:29 AM
  • Thanks Cymon.

    I could understand that SHA256 is recommended from Windows 7 (with patch) and later operating systems.

    And you mentioned that SHA1 is being deprecated. So can we use SHA1 still?

    Please let me know whether i can use SHA1 certificate for signing in Windows 7 and later versions?

    Thanks in adavance.

    Thursday, October 3, 2019 6:00 AM