Skip to main content

Windows kernel mode signing changes and customer requirements for kernel signing

Problem

In the past Microsoft provided specific cross-certificates for each Certificate Authority that issues SPCs (Software Publisher Certificates) suitable to sign kernel-mode code[1]. Since 2021, Microsoft is the sole provider of kernel-mode code signatures. Microsofts Trusted Root Program no longer supports root certificates that have kernel mode signing capabilities[2].

Summary

This article provides answers to frequently asked questions about kernel-mode signing for Windows.


Please note although the “Entrust Root Certification Authority – G2” is still listed on Microsoft’s cross-certificate-list , Entrust does not issue certificates which support kernel-mode signing.

Entrust provides attestation signing [3] , which requires the use of an Entrust EV Codesigning Certificate in order to submit the driver to Microsofts Partner Center (also known as Hardware Dev Center Dashboard).

Further links:

Step-by-Step Guide provided my Microsoft:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

Attestation signing a kernel driver for public release:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

Microsoft’s partner center to create and manage driver submissions:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/

Windows 10 Kernel Mode Code Signing (KMCS) Requirements:

https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#f-windows-10-kernel-mode-code-signing-kmcs-requirements .


[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list [2] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates)

[3] https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release