cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't sign my driver with sha384 EV code signing certificate

dshadrin
Occasional Contributor

‎Jul 05 2021 05:37 AM

‎Jul 05 2021 05:37 AM

Can't sign my driver with sha384 EV code signing certificate

Hello, our company renew EV code signing certificate, and now it has sha384 algorithm, our driver correct pass all HLK tests, and after it i have signed my *.hlkx result with this certificate, but micorosoft partener center can't accept this *.hlkx due to error: "Microsoft allows SHA2 only signature algorithm. Please re-sign with a valid certificate and submit again"

 

Help me, please.

2,217 Views
2 Likes
11 Replies
Reply
11 Replies
dshadrin

‎Jul 05 2021 06:26 AM

‎Jul 05 2021 06:26 AM

Re: Can't sign my driver with sha384 EV code signing certificate

I correct sign driver in HLK, all tests are passed, but after i can't upload my *.hlkx result to microsoft, because i have error: "Microsoft allows SHA2 only signature algorithm. Please re-sign with a valid certificate and submit again", i have bought certificate on sectigo.com, and now they provide sha384 algorithm, because sha256 is deprecated, but microsoft can't accept this *.hlkx signed with this certificate.
0 Likes
Reply

‎Jul 05 2021 07:39 AM

‎Jul 05 2021 07:39 AM

Re: Can't sign my driver with sha384 EV code signing certificate

@dshadrin 

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

information indicates that you must use the same computer and browser for the signature to be considered valid. 

0 Likes
Reply
dshadrin

‎Jul 05 2021 11:04 PM

‎Jul 05 2021 11:04 PM

Re: Can't sign my driver with sha384 EV code signing certificate

@Deleted, you have signed driver thougth HLK? I've signed drivers about five years, and i know how to buy certificate, how to pass HLK tests, and how to upload *.hlkx to microsoft partner center, but now sectigo.com provide me sha384 certificate and sign *.hlkx result using HLK studio with this certificate, but microsoft partner center don't accept this result, because my certificate is not sha256 :(
0 Likes
Reply
dshadrin

‎Jul 07 2021 12:50 AM

‎Jul 07 2021 12:50 AM

Re: Can't sign my driver with sha384 EV code signing certificate

Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.

So how can i choose SHA256 when i sign my *.hlkx result from HLK STUDIO ?
0 Likes
Reply

‎Jul 07 2021 02:29 AM

‎Jul 07 2021 02:29 AM

Re: Can't sign my driver with sha384 EV code signing certificate

It's good that you raised this problem!
The suggestion speaks of a switch - SH256 , so maybe there is an error here?
0 Likes
Reply
dshadrin

‎Jul 07 2021 02:45 AM

‎Jul 07 2021 02:45 AM

Re: Can't sign my driver with sha384 EV code signing certificate

This switch applicable for signtool.exe utility, and i use this switch, but HLT test result signed by HLK studio and i can't use this switch or something else in this step.
0 Likes
Reply
HelgeKlein

‎Mar 03 2023 03:14 PM

‎Mar 03 2023 03:14 PM

Re: Can't sign my driver with sha384 EV code signing certificate

We have exactly the same issue...
0 Likes
Reply