Windows 10 (11?) signed driver signing issues after SafeNet Token update

Question

Recently our SafeNet Authentication Token used for software and driver signing expired (Symantec) and we ordered a new one (now Thales, bought Symantec?).

The expired one had these CAs:

• VeriSign Class 3 Public Primarey Certification Authority - G5
• Symantec Class 3 Extended Validation Code Signing CA - G2

The user certificate has the intended Purpose: Code Signing

The replacement token has these CAs:

• Digicert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
• Digicert Trusted Root G4

The user certificate has the intended Purpose: Code Signing

With the old token: We could sign driver and catalogs and use these direct on PCs without Secure Boot. We could attestation sign these drivers at Microsoft to get them to work on PCs with Secure boot.

With the new token: We can sign drivers and catalogs. We can attestation sign these drivers at Microsoft to get them to work on PCs with (and without) Secure boot. But they no longer work on PCs without Secure Boot.

The device manager presents this:

Windows cannot verify the digital signature for the drivers required
for this device. A recent hardware or software change might have installed
a file that is signed incorrectly or damaged, or that might be malicious
software from an unknown source. (Code 52)

The driver itself presents the new signature:

And a nice chain of trust:

One possibility to get this still working on the test PCs, would be to disable driver verification using "bcedit". But I would not like to force beta testers to do it. Also, I do not want to manually "attestation sign" every CI build...

This wrecks out CI infrastructure and automatic test environment.

My questions:

Is this intended behavior with new code signing tokens?

Did we receive a bad or not-good-enough token as a replacement?

This is the command-line of signtool:

sign /s MY /sha1 KEY_SHA1 /n "My GmbH" /fd sha256 /tr http://timestamp.digicert.com' driver.sys

I ask this openly because I think there are a few guys in different companies getting these issues with token updates and I hope the answers to this thread will help them (and us).

Bye Gunther

Answer 1

Ok today I found out:

Microsoft deprecated code signing certificates mid 2021:

https://learn.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates#will-we-continue-to-be-able-to-sign-non-driver-code-with-our-existing-3rd-party-issued-certificates-after-2021

Very short answer: New certificates like our new code signing dongle are not cross-signed to "Microsoft Code verification Root" or do not provide any cross certificate chain.

So our signed driver will not load in production Windows.

Possible Options for testing and debugging:

Enable testsigning:

bcdedit /set TESTSIGNING ON

In this mode any driver with or without signature is allowed.