Microsoft has deprecated their support for cross-signed root certificates for kernel-mode drivers: https://knowledge.digicert.com/alerts/Kernel-Mode.html

I occasionally release software with USB drivers (as a pair of .inf and .cat files). Until now, I have been signing them with signtool, using:

signtool.exe sign /a /ac $ROOT_CA_CERTIFICATE /tr $TIMESTAMP_SERVICE_URL /td SHA256 $MY_CAT_FILE

and verifying by:

signtool.exe verify /v /kp $MY_SIGNED_CAT_FILE

Under the recent deprecation, this no longer works (details below). The apparent alternative seems to be treating my driver as though it were kernel-mode, and going through Microsoft's full qualification route -- which seems like way more than I need, and has a lot of new requirements on the way.

Is there an easier way to self-sign my driver, given that it does not require kernel-mode?

(I am not well-versed in signtool and code-signing, so don't hesitate to tell me if I'm missing something obvious!)

Details on the signature/verification failures I'm receiving:

• If I continue to sign using /ac $ROOT_CA_CERTIFICATE , I get the following error, which seems due to the expiration of the cross-certificate:
  Signtool Error: The provided cross certificate would not be present in the certificate chain.

• If I leave that out, I can successfully sign, but verification both with and without the /kp flag fails. Here's with the flag:
  SignTool Error: Signing Cert does not chain to a Microsoft Root Cert.
  And here's without it:
  SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Many thanks!