1

We've been submitting drivers to Partner Center for validation and signature by Microsoft for a long time. Recently our Authenticode certificate expired, so we purchased a new one. When we submit driver packages signed by the new certificate, we get the following error:

Microsoft allows SHA2 only signature algorithm. Please re-sign with a valid certificate and submit again.

How can this be fixed or worked around?

Notes:

  • The new certificate's signature algorithm is SHA384RSA, its hash algorithm is SHA384.
  • The expired certificate's signature algorithm is SHA256RSA, its hash algorithm is SHA256.
  • We did add the new certificate to Partner Center by signing the provided binary.
  • Our entire process has worked for a long time. The only thing that changed is the Authenticode certificate.
  • We've performed certificate updates in the past. They always worked well.
Helge Klein
  • 8,829
  • 8
  • 51
  • 71
  • Is it possible to contact the partner center and request a new certificate with a specific hash algorithm? – VonC Mar 07 '23 at 06:53

1 Answers1

2

In a support ticket we opened, a Microsoft representative indirectly confirmed the SHA256 restriction. The solution, therefore, is to make sure that a vendor uses SHA256 instead of SHA384 before buying a certificate.

Sectigo doesn't do that, so we cannot use their certificate any more for our drivers. SSL.com, however, does. We bought a new certificate from them, it uses SHA256 and HLKX packages signed with it are processed correctly in MS Partner Center.

Helge Klein
  • 8,829
  • 8
  • 51
  • 71