i am interested in buying a Microsoft Code Signing Certificate for a kernel mode driver.
My first question is : are Verisign or Globalsign Certificates mandatory ?
They are expensive and i have found another provider called Digicert with only 178$ the first year.
Here is an old question of stackoverflow :
Kernel mode code signing
And here is the link to digicert page :
http://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
My second question is how long will the users be able to run the application.
If the certificate expires does it mean that the users will not be able to run the application or only that i cannot compile and sign again another executable but that the application will run ?
Thank you
Alex
DigiCert certificates can absolutely be used for kernel mode signing – VeriSign & GlobalSign aren’t mandatory, but they may have been the only ones supported at the time of the linked post. DigiCert officially announced kernel mode signing capabilities in February (http://www.digicert.com/news/2012-02-28-kernel-mode-code-signing.htm).
For your second question – you won’t be able to sign new trusted applications after the certificate expires, but users can continue running the application if it was timestamped when it was signed.
DigiCert’s instructions on timestamping can be found at http://www.digicert.com/code-signing/signcode-signtool-command-line.htm.
In full disclosure, I’m the VP of Marketing at DigiCert. Saw this post come up and thought I could help :-). If you have any other questions, feel free to reach out to our support team 801-896-7973.