Problem
In the past Microsoft provided specific cross-certificates for each Certificate Authority that issues SPCs (Software Publisher Certificates) suitable to sign kernel-mode code[1]. Since 2021, Microsoft is the sole provider of kernel-mode code signatures. Microsofts Trusted Root Program no longer supports root certificates that have kernel mode signing capabilities[2].
Summary
This article provides answers to frequently asked questions about kernel-mode signing for Windows.
Please note although the “Entrust Root Certification Authority – G2” is still listed on Microsoft’s cross-certificate-list , Entrust does not issue certificates which support kernel-mode signing.
Entrust provides attestation signing [3] , which requires the use of an Entrust EV Codesigning Certificate in order to submit the driver to Microsofts Partner Center (also known as Hardware Dev Center Dashboard).
Further links:
Step-by-Step Guide provided my Microsoft:
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate
Attestation signing a kernel driver for public release:
Microsoft’s partner center to create and manage driver submissions:
https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/
Windows 10 Kernel Mode Code Signing (KMCS) Requirements:
[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list [2] https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates)
[3] https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release