Skip to main content

Windows kernel mode signing changes and customer requirements for kernel signing

Windows kernel mode signing changes and customer requirements for kernel signing

Problem

In the past Microsoft provided specific cross-certificates for each Certificate Authority that issues SPCs (Software Publisher Certificates) suitable to sign kernel-mode code[1]. Since 2021, Microsoft is the sole provider of kernel-mode code signatures. Microsofts Trusted Root Program no longer supports root certificates that have kernel mode signing capabilities[2].

Summary

This article provides answers to frequently asked questions about kernel-mode signing for Windows.


Please note although the “Entrust Root Certification Authority – G2” is still listed on Microsoft’s cross-certificate-list , Entrust does not issue certificates which support kernel-mode signing.

Entrust provides attestation signing [3] , which requires the use of an Entrust EV Codesigning Certificate in order to submit the driver to Microsofts Partner Center (also known as Hardware Dev Center Dashboard).

Further links:

Step-by-Step Guide provided my Microsoft:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

Attestation signing a kernel driver for public release:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

Microsoft’s partner center to create and manage driver submissions:

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/

Windows 10 Kernel Mode Code Signing (KMCS) Requirements:

https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#f-windows-10-kernel-mode-code-signing-kmcs-requirements .


[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list [2] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates)

[3] https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release