First published on MSDN on Nov 13, 2017
On March 9th, Hardware Dev Center will no longer accept HLKx, HCKx, Attestation .CAB, and WLK packages signed using a SHA-1 digest algorithm and certificate chain. This change may require that your Hardware Dev Center associated certificates (EV and others) be updated. This is being done to support our SHA-1 Enforcement plan outlined on TechNet and to increase our confidence that the package contents have not been altered. Packages already submitted prior to this change will not be affected or re-signed.
FAQ
When will this change go into effect?
March 9th 2018
Do I need to change how I code sign driver binaries (.exe, .sys, .dll)?
No . This change does NOT affect how you code sign your driver files (.exe, .sys, .dll). We are only enforcing that your HLKx, HCKx, CAB, WLK packages are signed with a SHA-2 digest algorithm and certificate chain.
What do I need to do differently?
- When signing your HLKx, HCKx, WLK, or CAB package for submission, use SHA-2 as the default signature digest algorithm and a SHA-2 timestamp.
- Verify the certificates associated with your Hardware Dev Center profile are SHA-2 and re-sign them using the /fd sha256 switch and appropriate SHA-2 timestamp, if needed.
- For HLKx, HCKx, Attestation .CAB and WLK packages, add the /fd sha256 switch and a ppropriate SHA-2 timestamp to your signtool process.
How do I check if my Hardware Dev Center certificates are signed with SHA-2?
Certificates cannot be downloaded from Hardware Dev Center so you will need to use your local certificate.
- Open your local .CER file by double-clicking it or run “certmgr.msc” to locate and open it.
- Click the Details tab and verify the Signature algorithm and Signature hash algorithm are SHA256RSA and SHA256 respectively.
How do I update the certificate associated with my DevCenter account?
- Sign in as the Company Administrator.
- Click the gear icon
in the upper right, then click Account settings , then Manage Certificates on the left pane.
- Click the Add a new certificate button and follow the upload process.
- Download Signablefile.bin from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch “ /fd sha256 ” and appropriate SHA-2 timestamp.
- Upload the signed file to the Hardware Dev Center dashboard.
Where do I get a SHA-2 certificate?
See Get a code signing certificate for more information.
Do I need to change how I code sign driver binaries?
No. At this stage we are not blocking SHA-1 code signed binaries. We are only blocking HLKx, HCKx, CAB, WLK packages signed with a SHA-1 digest algorithm and certificate chain.
How will DevCenter sign my catalog (.CAT) file?
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
| SHA-1 only | SHA-2 only | SHA-2 only |
How will DevCenter sign my binaries?
| Windows 7/Server 2008 R2 and lower | Windows 8/8.1 | Windows 10 |
| SHA-2 only | SHA-2 only | SHA-2 only |
How do I enable SHA-2 support for Windows 7 / Server 2008 R2 RTM?
To enable SHA-2 support on Windows 7 / Server 2008 R2 please refer to Microsoft Security Advisory 3033929.
For questions not answered here, please contact your Microsoft representative. We will update this FAQ occasionally with more info.