Signing a Windows Kernel driver without using Microsoft

[Elisa3167]

After you get a WHQL certificate, you have to add SHA-256 /fd 256, /td 256 and external timestamp to the command-line.

If you don't add an external timestamp, the codesign is considered "no-good" so you must add /tr.

Example:
signtool.exe sign /v /n "YourDrivername" /fd sha256 /td sha256 /tr http://timestamp.example.com/rfc3161 DriverFile.sys

Assuming you have a smartcard and smartcard reader, you have to sign-in to the smartcard device, then sign the EXE.

If you have a laptop, you need carry a mobile smartcard reader.

Advice.
Carry the smartcard around with you... Don't leave it for someone to take it...

[Kerlingen]

Microsoft defined one point in time (I think it was June 1st, 2016) and starting with Windows 10 version 1607, the following restrictions apply to kernel mode drivers without a signature from "Microsoft Windows Hardware Compatibility Publisher":

• If the signing certificate expired before June 1st, 2016, the driver is allowed to load.
• If the signing certificate became valid before June 1st, 2016 and expired after June 1st, 2016, the timestamp of the signature is checked to decide if the driver is allowed to load.
• If the signing certificate became valid after June 1st, 2016, the driver is always denied to load.

For obvious reasons you cannot get any new certificate which expires before June 1st, 2016, so you are required to have a signature from Microsoft for any drivers you want to distribute.

Even if you had an old certificate, it would be a SHA1 certificate, but since 2022 all drivers are required to have a SHA256 signature on Windows 10/11/2019/2022. (and that old certificate would probably be "leaked" and any file signed with it would get instantly deleted by anti-virus, so you couldn't even use in on 32-bit Windows 7/8/8.1)