Microsoft has deprecated their support for cross-signed root certificates for kernel-mode drivers: https://knowledge.digicert.com/alerts/Kernel-Mode.html
I occasionally release software with USB drivers (as a pair of .inf and .cat files). Until now, I have been signing them with signtool, using:
signtool.exe sign /a /ac $ROOT_CA_CERTIFICATE /tr $TIMESTAMP_SERVICE_URL /td SHA256 $MY_CAT_FILE
and verifying by:
signtool.exe verify /v /kp $MY_SIGNED_CAT_FILE
Under the recent deprecation, this no longer works (details below). The apparent alternative seems to be treating my driver as though it were kernel-mode, and going through Microsoft's full qualification route -- which seems like way more than I need, and has a lot of new requirements on the way.
Is there an easier way to self-sign my driver, given that it does not require kernel-mode?
(I am not well-versed in signtool and code-signing, so don't hesitate to tell me if I'm missing something obvious!)
Details on the signature/verification failures I'm receiving:
If I continue to sign using /ac $ROOT_CA_CERTIFICATE , I get the following error, which seems due to the expiration of the cross-certificate:
Signtool Error: The provided cross certificate would not be present in the certificate chain.
If I leave that out, I can successfully sign, but verification both with and without the /kp flag fails. Here's with the flag:
SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
And here's without it:
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.