NOTE: At this time (Oct. 2014), kernel mode signing with a SHA-256 certificate is only compatible with Windows 8. Microsoft is working on backporting SHA-256 support for Windows 7 and Vista. For maximum ubiquity, it is recommended to use a SHA1 certificate. A SHA1 equivalent certificate can be issued for free through your Thawte management portal.
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Windows Hardware Developer Center Dashboard portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change. The portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. For more information, click here.
Note: Unfortunately, Thawte does not offer an EV Code Signing certificates at this time; however, if you would like to enroll for this certificate, please click here for Symantec's EV Code Signing enrollment page.
64-bit versions of Microsoft Windows requires Kernel Mode Signing. To sign 64-bit kernel-mode software using a Thawte Code Signing for Microsoft Authenticode (Multi-Purpose) or Thawte Code Signing for Microsoft Office and VBA, you will need to download and install the following:
NOTE: While we do our best to provide information for signing, Thawte does not support the code signing software and tools.
Use signtool.exe (command line based) from the Command Line Interface to sign your code.
SHA-1 with Timestamp
SHA-256 with RFC 3161 Timestamp:
NOTE: Replace YourIssuedToFieldName with the company name the certificate was approved for, and as it appears in the 'Issued to' field of the certificate. Replace YourFileName with the path and file you want to sign.
This example uses several of the arguments that SignTool supports:
Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.
Note: If you are signing the file with a certificate stored in a password protected PFX file, simply use the arguments "/f YourCertFileName.pfx /p pfxpassword" instead of "/a /s MY /n "YourIssuedToFieldName" in the command.
Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
(The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp
The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
Test Your Signature
Method 1: Using signtool
Method 2: Using Windows
Related Information and Resources
Microsoft's knowledge base on this topic:
Windows Driver Kit (WDK):
Using SignTool to Sign a File:
Cross-Certificates for Kernel Mode Code Signing: