Can't sign my driver with sha384 EV code signing certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-2516021%22%20slang%3D%22en-US%22%3ECan't%20sign%20my%20driver%20with%20sha384%20EV%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2516021%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-subject-wrapper%20lia-component-subject%20lia-component-message-view-widget-subject-with-options%22%3E%3CSPAN%3EHello%2C%20our%20company%20renew%20EV%20code%20signing%20certificate%2C%20and%20now%20it%20has%20sha384%20algorithm%2C%20our%20driver%20correct%20pass%20all%20HLK%20tests%2C%20and%20after%20it%20i%20have%20signed%20my%20*.hlkx%20result%20with%20this%20certificate%2C%20but%20micorosoft%20partener%20center%20can't%20accept%20this%20*.hlkx%20due%20to%20error%3A%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22alert-error%20ng-binding%22%3EMicrosoft%20allows%20SHA2%20only%20signature%20algorithm.%20Please%20re-sign%20with%20a%20valid%20certificate%20and%20submit%20again%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-body%20lia-component-message-view-widget-body%20lia-component-body-signature-highlight-escalation%20lia-component-message-view-widget-body-signature-highlight-escalation%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHelp%20me%2C%20please.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2516021%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDriver%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edriver%20signing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edriver%20signing%20changes%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehlk%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2516115%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20sign%20my%20driver%20with%20sha384%20EV%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2516115%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1095791%22%20target%3D%22_blank%22%3E%40dshadrin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fkernel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fkernel%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fdashboard%2Fcreate-a-new-hardware-submission%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fdashboard%2Fcreate-a-new-hardware-submission%3C%2FA%3E%3C%2FP%3E%3CP%3EHello%20see%20this%20documentation!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2516189%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20sign%20my%20driver%20with%20sha384%20EV%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2516189%22%20slang%3D%22en-US%22%3EI%20correct%20sign%20driver%20in%20HLK%2C%20all%20tests%20are%20passed%2C%20but%20after%20i%20can't%20upload%20my%20*.hlkx%20result%20to%20microsoft%2C%20because%20i%20have%20error%3A%20%22Microsoft%20allows%20SHA2%20only%20signature%20algorithm.%20Please%20re-sign%20with%20a%20valid%20certificate%20and%20submit%20again%22%2C%20i%20have%20bought%20certificate%20on%20sectigo.com%2C%20and%20now%20they%20provide%20sha384%20algorithm%2C%20because%20sha256%20is%20deprecated%2C%20but%20microsoft%20can't%20accept%20this%20*.hlkx%20signed%20with%20this%20certificate.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2516446%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20sign%20my%20driver%20with%20sha384%20EV%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2516446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1095791%22%20target%3D%22_blank%22%3E%40dshadrin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fdashboard%2Fget-a-code-signing-certificate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fdashboard%2Fget-a-code-signing-certificate%3C%2FA%3E%3C%2FP%3E%3CP%3Einformation%20indicates%20that%20you%20must%20use%20the%20same%20computer%20and%20browser%20for%20the%20signature%20to%20be%20considered%20valid.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2516464%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20sign%20my%20driver%20with%20sha384%20EV%20code%20signing%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2516464%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-hardware-certification%2Fbg-p%2FWindowsHardwareCertification%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-hardware-certification%2Fbg-p%2FWindowsHardwareCertification%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Hello, our company renew EV code signing certificate, and now it has sha384 algorithm, our driver correct pass all HLK tests, and after it i have signed my *.hlkx result with this certificate, but micorosoft partener center can't accept this *.hlkx due to error: "Microsoft allows SHA2 only signature algorithm. Please re-sign with a valid certificate and submit again"

 

Help me, please.

10 Replies
I correct sign driver in HLK, all tests are passed, but after i can't upload my *.hlkx result to microsoft, because i have error: "Microsoft allows SHA2 only signature algorithm. Please re-sign with a valid certificate and submit again", i have bought certificate on sectigo.com, and now they provide sha384 algorithm, because sha256 is deprecated, but microsoft can't accept this *.hlkx signed with this certificate.

@dshadrin 

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

information indicates that you must use the same computer and browser for the signature to be considered valid. 

@AndrzejX, you have signed driver thougth HLK? I've signed drivers about five years, and i know how to buy certificate, how to pass HLK tests, and how to upload *.hlkx to microsoft partner center, but now sectigo.com provide me sha384 certificate and sign *.hlkx result using HLK studio with this certificate, but microsoft partner center don't accept this result, because my certificate is not sha256 :(
Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.

So how can i choose SHA256 when i sign my *.hlkx result from HLK STUDIO ?
It's good that you raised this problem!
The suggestion speaks of a switch - SH256 , so maybe there is an error here?
This switch applicable for signtool.exe utility, and i use this switch, but HLT test result signed by HLK studio and i can't use this switch or something else in this step.
www.000webhost.com