Windows Hardware Certification – Packages signed using a SHA-1 digest algorithm and certificate chain no more supported (WHQL)

Send Us a Sign! (Contact Us!)

From March 9th 2018, Hardware Dev Center and Sysdev will no longer accept HLKx, HCKx, Attestation .CAB, and WLK packages signed using a SHA-1 digest algorithm and certificate chain.

This change may require that your Hardware Dev Center and Sysdev associated certificates (EV and others) be updated. This is being done to support our SHA-1 Enforcement plan to increase Microsoft confidence that the package contents have not been altered.

Packages already submitted prior to this change will not be affected or re-signed.

We were currently unable to remove the SHA-1 catalog requirements for Windows 7 and below. If you are creating Windows 7 submissions, please either leave your binaries unsigned, or only sign them with SHA-1 if you plan on targeting Windows 7 and below. Submissions not following these guidelines with receive the following error message:

We found that your submission contained binaries embedded with a SHA-256 signature. However, you requested that your submission be signed such that it is compatible with Operating Systems which require a SHA-1 catalog. Please remove the SHA-2 signatures from your binaries, or remove the SHA-1 target operating systems (Windows 7 and below) and resubmit.

IMPORTANT NOTE: as advice, we suggest to remove signature from driver files that will be added to the package after the test process, then recreate an unsigned .cat file from the *.inf (using inf2cat utility from Visual Studio) of your driver file and finally add the driver package for the creation of the HLKX or HCKX submission package. In this way the Microsoft validation process for Windows Vista or 7 will go straight without any issue. The HLKX or HCKX package will need to be signed with a SHA-2 certificate.

Do I need to change how I code sign driver binaries (.exe, .sys, .dll)?

No. This change does NOT affect how you code sign your driver files (.exe, .sys, .dll). We are only enforcing that your HLKx, HCKx, CAB, WLK packages are signed with a SHA-2 digest algorithm and certificate chain.

What do I need to do differently?

When signing your HLKx, HCKx, WLK, or CAB package for submission, use SHA-2 as the default signature digest algorithm and a SHA-2 timestamp.

Verify the certificates associated with your Hardware Dev Center and Sysdev profile are SHA-2 and re-sign them using the /fd sha256 switch and appropriate SHA-2 timestamp, if needed.

For HLKx, HCKx, Attestation .CAB and WLK packages, add the /fd sha256 switch and appropriate SHA-2 timestamp to your signtool process.

How do I check if my Hardware Dev Center or Sysdev certificates are signed with SHA-2?

Certificates cannot be downloaded from Hardware Dev Center so you will need to use your local certificate.

Open your local .CER file by double-clicking it or run "certmgr.msc" to locate and open it. Click the Details tab and verify the Signature algorithm and Signature hash algorithm are SHA256RSA and SHA256 respectively.

Windows Hardware Certification - Packages signed using a SHA-1 digest algorithm and certificate chain no more supported (WHQL)

How do I update the certificate associated with my DevCenter or Sysdev account?

NOTE: Only your portal Administrators have permissions to modify and upload these certificates.

DevCenter

  • Sign in as the Company Administrator.
  • Click the gear icon in the upper right, then click Account settings, then Manage Certificates on the left pane.
  • Click the Add a new certificate button and follow the upload process.
  • Download Signablefile.bin from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch “/fd sha256” and appropriate SHA-2 timestamp.
  • Upload the signed file to the Hardware Dev Center dashboard.

Sysdev

  • Sign in as the Company Administrator.
  • On the Administration page, in the Your Organization tile, click Upload a new digital certificate.
  • Download Winqual.exe from Sysdev and sign it with the new digital certificate for your company using SignTool with the following switch added “/fd sha256” and appropriate SHA-2 timestamp.
  • On the Manage certificates page, click Choose File to locate and select the Winqual.exe file that has been signed with the correct digital certificate for your company.
  • Click the Update button.

Do I need to change how I code sign driver binaries?

No. At this stage we are not blocking SHA-1 code signed binaries. We are only blocking HLKx, HCKx, CAB, WLK packages signed with a SHA-1 digest algorithm and certificate chain.

How will DevCenter sign my catalog (.CAT) file and binaries?

Microsoft will sign .cat files and binaries as follows: for Windows 7, .cat files and binaries will be dual signed SHA-1/SHA-2, while for Windows 8.1 and Windows 10 they will be signed only in SHA-2.