Author Topic: Signing 64 Bit Driver with SHA-2 certificate  (Read 6231 times)

Offline pkhach

  • Newbie
  • *
  • Posts: 1
Signing 64 Bit Driver with SHA-2 certificate
« on: October 10, 2014, 10:56:03 PM »
I am a bit confused.

While ordering the certificate I was advised to select the SHA-2 certificate because Microsoft will deprecate SHA-1 soon.

But this certificate does not work with Windows 64 bit driver, although your cross-certificates are listed on Microsoft website in new cross-certificate list (AddTrust External CA Root and UTN-USERFirst-Object).
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx

Now your support team is asking me to re-order the SHA-1 certificate instead of SHA-2.

I don't know what to do...  :-[

Offline Sal Amander

  • Comodo's Hero
  • *****
  • Posts: 742
Re: Signing 64 Bit Driver with SHA-2 certificate
« Reply #1 on: October 14, 2014, 10:31:15 AM »
I am a bit confused.

While ordering the certificate I was advised to select the SHA-2 certificate because Microsoft will deprecate SHA-1 soon.

But this certificate does not work with Windows 64 bit driver, although your cross-certificates are listed on Microsoft website in new cross-certificate list (AddTrust External CA Root and UTN-USERFirst-Object).
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx

Now your support team is asking me to re-order the SHA-1 certificate instead of SHA-2.

I don't know what to do...  :-[

I'm sorry for the confusion but its unfortunately out of any CAs hands. As far as we're aware, Microsoft does not (yet) support SHA-2 for Windows Vista or 7 on Kernel Mode Drivers. SHA-1 is the only option at this time if you wish to sign drivers.

See this post from Kelvin Yiu (from Microsoft) on the CA/Browser Forum public archives for proof: https://cabforum.org/pipermail/public/2014-April/003182.html

Offline Sal Amander

  • Comodo's Hero
  • *****
  • Posts: 742
Re: Signing 64 Bit Driver with SHA-2 certificate
« Reply #2 on: October 15, 2014, 04:30:03 PM »
Yesterday was "Patch Tuesday" and Microsoft released an update so that SHA-2 signed certificates now work with Windows 7 & Server 2008/R2 and Kernel Mode Code Signing (KMCS) -- https://technet.microsoft.com/en-us/library/security/2949927.aspx

Edit: Seems Microsoft pulled the update 3 days later on 17 October with no further update.
« Last Edit: November 06, 2014, 11:35:09 AM by Sal Amander »

Offline faustinobsd

  • Newbie
  • *
  • Posts: 1
Re: Signing 64 Bit Driver with SHA-2 certificate
« Reply #3 on: May 18, 2015, 03:40:02 PM »
Hi, I have the same issue with SHA256 certificate. It seems Microsoft already made a KB patch, but as I am distributing my software worldwide, I can't ensure that my users have Windows 7 updated.
Will Comodo issue a SHA1 certificate to me?

Thanks

Offline Aftn

  • Newbie
  • *
  • Posts: 2
Re: Signing 64 Bit Driver with SHA-2 certificate
« Reply #4 on: December 27, 2015, 02:36:51 AM »
Hi, I have the same issue with SHA256 certificate. It seems Microsoft already made a KB patch, but as I am distributing my software worldwide, I can't ensure that my users have Windows 7 updated.
Will Comodo issue a SHA1 certificate to me?

Thanks
What Microsoft's KB patch or smth else currently solves issue with SHA256 Kernel Mode Code Signing (KMCS) certificate for Windows 7?

Upd:
Is it this one:   https://technet.microsoft.com/en-us/library/security/3033929   ?
But it has bad reviews as causig cyclic rebooting.
« Last Edit: December 27, 2015, 07:56:23 AM by Aftn »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek