电话垂询

Starting in February 2018, packages signed using a SHA-1 digest algorithm and certificate chain will no longer be accepted

发布时间:2018-03-22 浏览次数:2669次

Starting in February2018, Hardware Dev Center and Sysdev will no longer accept HLKx, HCKx,Attestation .CAB, and WLK package submissions signed using a SHA-1 digestalgorithm and certificate chain. This change also requires that your HardwareDev Center and Sysdev associated certificates (EV and others) be updated. Thisis being done to support our SHA-1 Enforcement plan outlined on TechNetandto increase our confidence that the package contents have not been altered.Packages already submitted prior to this change will not be affected orre-signed.

At the same time, wewill start allowing submissions with SHA-2 only code signed binariesto be targeted for Windows 7/Server 2008 R2. Previously, in your shippinglabel, if you tried to target Windows 7/Server 2008 R2 and your binaries wereonly SHA-2 code signed, you would receive the following message:

We found that yoursubmission contained binaries embedded with a SHA-256 signature. However, yourequested that your submission be signed such that it is compatible withOperating Systems which require a SHA-1 catalog. Please remove the SHA-2signatures from your binaries, or remove the SHA-1 target operating systems(Windows 7 and below) and resubmit.

After these changes gointo effect in February 2018, you will be allowed to target SHA-2 only codesigned binaries to Windows 7 and will no longer see this message.

When will this changego into effect?

February 2018

What do I need to dodifferently?

  • Start using SHA-2 as the default signature digest algorithm and a SHA-2 timestamp.
  • Update the certificates associated with your Hardware Dev Center and Sysdev profile to SHA-2.
    • Re-sign them using “/fd sha256” and appropriate SHA-2 timestamp.
  • For HLKx, HCKx, Attestation .CAB and WLK packages, add the following switches to your signtool process:
    • /fd sha256” and appropriate SHA-2 timestamp.

FAQ:

How do I check if myHardware Dev Center or Sysdev certificates are signed with SHA-2?

Certificates cannot bedownloaded from Hardware Dev Center so you will need to use your localcertificate.

  • Open your local .CER file by double-clicking it or run “certmgr.msc” to locate and open it.
  • Click the Details tab and verify the Signature algorithm and Signature hash algorithm are SHA256RSA and SHA256 respectively
  • 222.png

How do I update thecertificate associated with my DevCenter or Sysdev account?

*Note: Only yourportal Administrators have permissions to modify and upload these certificates.

DevCenter:

  • Sign in as the Company Administrator.
  • Click the gear icon https://msdnshared.blob.core.windows.net/media/2017/11/SHA1blog-2.png in the upper right, then click Account settings, then Manage Certificates on the left pane.
  • Download the Winqual.exe file from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch “/fd sha256” and appropriate SHA-2 timestamp.
  • Click the Add a new certificate button and follow the upload process.

Sysdev:

  • Sign in as the Company Administrator.
  • On the Administration page, in the Your Organization tile, click Upload a new digital certificate.
  • Download the Winqual.exe file from the Hardware Dev Center dashboard, and sign it with the new digital certificate for your company using SignTool with the following switch added “/fd sha256” and appropriate SHA-2 timestamp.
  • On the Manage certificates page, click Choose File to locate and select the Winqual.exe file that has been signed with the correct digital certificate for your company.
  • Click the Update button.

Where do I get a SHA-2certificate?

See Get a code signing certificate for moreinformation.

Do I need to changehow I code sign driver binaries?

No. At this stage weare not blocking SHA-1 code signed binaries. We are only blocking HLKx, HCKx,CAB, WLK packages signed with a SHA-1 digest algorithm and certificate chain.

How will DevCentersign my catalog (.CAT) file:

Windows 7/Server 2008 R2 and lower           Windows 8/8.1          Windows 10
*NEW* Dual signed SHA-1/SHA-2                    SHA-2 only              SHA-2 only

How willDevCenter sign my binaries:

Windows 7/Server 2008 R2 and lower           Windows 8/8.1           Windows 10
*NEW* Dual signed SHA-1/SHA-2                    SHA-2 only              SHA-2 only

 

How do I enable SHA-2 support for Windows 7 / Server 2008 R2RTM.

To enable SHA-2 support onWindows 7 / Server 2008 R2 please refer to Microsoft Security Advisory 3033929.

For questions not answered here, please contact your Microsoftrepresentative. We will update this FAQ occasionally with more info.



转自:Windows Hardware Certification blog