First published on MSDN on Nov 13, 2017
On March 9th, Hardware Dev Center will no longer accept HLKx, HCKx, Attestation .CAB, and WLK packages signed using a SHA-1 digest algorithm and certificate chain. This change may require that your Hardware Dev Center associated certificates (EV and others) be updated. This is being done to support our https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx and to increase our confidence that the package contents have not been altered. Packages already submitted prior to this change will not be affected or re-signed.
FAQ
When will this change go into effect?
March 9th 2018
Do I need to change how I code sign driver binaries (.exe, .sys, .dll)?
No . This change does NOT affect how you code sign your driver files (.exe, .sys, .dll). We are only enforcing that your HLKx, HCKx, CAB, WLK packages are signed with a SHA-2 digest algorithm and certificate chain.
What do I need to do differently?
- When signing your HLKx, HCKx, WLK, or CAB package for submission, use SHA-2 as the default signature digest algorithm and a SHA-2 timestamp.
- Verify the certificates associated with your Hardware Dev Center profile are SHA-2 and re-sign them using the /fd sha256 switch and appropriate SHA-2 timestamp, if needed.
- For HLKx, HCKx, Attestation .CAB and WLK packages, add the /fd sha256 switch and a ppropriate SHA-2 timestamp to your signtool process.
How do I check if my Hardware Dev Center certificates are signed with SHA-2?
Certificates cannot be downloaded from Hardware Dev Center so you will need to use your local certificate.
- Open your local .CER file by double-clicking it or run “certmgr.msc” to locate and open it.
- Click the Details tab and verify the Signature algorithm and Signature hash algorithm are SHA256RSA and SHA256 respectively.
How do I update the certificate associated with my DevCenter account?
- Sign in as the Company Administrator.
- Click the gear icon in the upper right, then click Account settings , then Manage Certificates on the left pane.
- Click the Add a new certificate button and follow the upload process.
- Download Signablefile.bin from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch “ /fd sha256 ” and appropriate SHA-2 timestamp.
- Upload the signed file to the Hardware Dev Center dashboard.
Where do I get a SHA-2 certificate?
See https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate for more information.
Do I need to change how I code sign driver binaries?
No. At this stage we are not blocking SHA-1 code signed binaries. We are only blocking HLKx, HCKx, CAB, WLK packages signed with a SHA-1 digest algorithm and certificate chain.
How will DevCenter sign my catalog (.CAT) file?
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
| SHA-1 only | SHA-2 only | SHA-2 only |
How will DevCenter sign my binaries?
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
| SHA-2 only | SHA-2 only | SHA-2 only |
How do I enable SHA-2 support for Windows 7 / Server 2008 R2 RTM?
To enable SHA-2 support on Windows 7 / Server 2008 R2 please refer to Microsoft Security Advisory https://technet.microsoft.com/en-us/library/security/3033929
For questions not answered here, please contact your Microsoft representative. We will update this FAQ occasionally with more info.
