Note: Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Windows Hardware Developer Center Dashboard portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change. The portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. For more information, click here.
Note: Unfortunately, Thawte does not offer an EV Code Signing certificates at this time; however, if you would like to enroll for this certificate, please click here for Symantec's EV Code Signing enrollment page.
64-bit versions of Microsoft Windows requires Kernel Mode Signing. To sign 64-bit kernel-mode software using a Thawte Code Signing for Microsoft Authenticode (Multi-Purpose) or Thawte Code Signing for Microsoft Office and VBA, you will need to download and install the following:
NOTE: While we do our best to provide information for signing, Thawte does not support the code signing software and tools.
Use signtool.exe (command line based) from the Command Line Interface to sign your code.
SHA-1 with Timestamp
SHA-256 with Timestamp:
NOTE: Replace YourIssuedToFieldName with the company name the certificate was approved for, and as it appears in the 'Issued to' field of the certificate. Replace YourFileName with the path and file you want to sign.
This example uses several of the arguments that SignTool supports:
Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.
Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/a /s MY /n "YourIssuedToFieldName" in the command.
Test Your Signature
Method 1: Using signtool
Method 2: Using Windows
Related Information and Resources
Microsoft's knowledge base on this topic:
Windows Driver Kit (WDK):
Using SignTool to Sign a File:
Cross-Certificates for Kernel Mode Code Signing: