Starting in February 2018, packages signed using a SHA-1 digest algorithm and certificate chain will no longer be accepted


Starting in February 2018, Hardware Dev Center and Sysdev will no longer accept HLKx, HCKx, Attestation .CAB, and WLK package submissions signed using a SHA-1 digest algorithm and certificate chain. This change also requires that your Hardware Dev Center and Sysdev associated certificates (EV and others) be updated. This is being done to support our SHA-1 Enforcement plan outlined on TechNet and to increase our confidence that the package contents have not been altered. Packages already submitted prior to this change will not be affected or re-signed.

At the same time, we will start allowing submissions with SHA-2 only code signed binaries to be targeted for Windows 7/Server 2008 R2. Previously, in your shipping label, if you tried to target Windows 7/Server 2008 R2 and your binaries were only SHA-2 code signed, you would receive the following message:

We found that your submission contained binaries embedded with a SHA-256 signature. However, you requested that your submission be signed such that it is compatible with Operating Systems which require a SHA-1 catalog. Please remove the SHA-2 signatures from your binaries, or remove the SHA-1 target operating systems (Windows 7 and below) and resubmit.

After these changes go into effect in February 2018, you will be allowed to target SHA-2 only code signed binaries to Windows 7 and will no longer see this message.

When will this change go into effect?

February 2018

What do I need to do differently?

  • Start using SHA-2 as the default signature digest algorithm and a SHA-2 timestamp.
  • Update the certificates associated with your Hardware Dev Center and Sysdev profile to SHA-2.
    • Re-sign them using “/fd sha256” and appropriate SHA-2 timestamp.
  • For HLKx, HCKx, Attestation .CAB and WLK packages, add the following switches to your signtool process:
    • /fd sha256” and appropriate SHA-2 timestamp.

FAQ:

How do I check if my Hardware Dev Center or Sysdev certificates are signed with SHA-2?

Certificates cannot be downloaded from Hardware Dev Center so you will need to use your local certificate.

  • Open your local .CER file by double-clicking it or run “certmgr.msc” to locate and open it.
  • Click the Details tab and verify the Signature algorithm and Signature hash algorithm are SHA256RSA and SHA256 respectively.

 

How do I update the certificate associated with my DevCenter or Sysdev account?

*Note: Only your portal Administrators have permissions to modify and upload these certificates.

DevCenter:

  • Sign in as the Company Administrator.
  • Click the gear icon in the upper right, then click Account settings, then Manage Certificates on the left pane.
  • Download the Winqual.exe file from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch “/fd sha256” and appropriate SHA-2 timestamp.
  • Click the Add a new certificate button and follow the upload process.

Sysdev:

  • Sign in as the Company Administrator.
  • On the Administration page, in the Your Organization tile, click Upload a new digital certificate.
  • Download the Winqual.exe file from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch added “/fd sha256” and appropriate SHA-2 timestamp.
  • On the Manage certificates page, click Choose File to locate and select the Winqual.exe file that has been signed with the correct digital certificate for your company.
  • Click the Update button.

Where do I get a SHA-2 certificate?

See Get a code signing certificate for more information.

Do I need to change how I code sign driver binaries?

No. At this stage we are not blocking SHA-1 code signed binaries. We are only blocking HLKx, HCKx, CAB, WLK packages signed with a SHA-1 digest algorithm and certificate chain.

How will DevCenter sign my catalog (.CAT) file:

Windows 7/Server 2008 R2 and lower Windows 8/8.1 Windows 10
*NEW* Dual signed SHA-1/SHA-2 SHA-2 only SHA-2 only

How will DevCenter sign my binaries:

Windows 7/Server 2008 R2 and lower Windows 8/8.1 Windows 10
*NEW* Dual signed SHA-1/SHA-2 SHA-2 only SHA-2 only

How do I enable SHA-2 support for Windows 7 / Server 2008 R2 RTM.

To enable SHA-2 support on Windows 7 / Server 2008 R2 please refer to Microsoft Security Advisory 3033929.

For questions not answered here, please contact your Microsoft representative. We will update this FAQ occasionally with more info.


Comments (2)

  1. vparthas says:

    Thank you for the update.

    I thought CAT files cannot be dual-signed. How will the devcenter dual sign them? Will this require a new KB on Windows 7?

  2. Steve Leo says:

    Hi

    I have SHA1 and SHA256, and I want to perform dual signing.
    Does anyone know how to make it?

    Thanks,
    Steve

Skip to main content