Kernel Mode Driver Signing
We have an Extended Validation Certificate and USB Token from GlobalSign. We have used this to sign our Kernel Mode Drivers for years:
SignTool.exe sign /a /as /v /fd sha1 /ac globalsign root ca.crt /tr http://timestamp.digicert.com /td SHA1 driver.sys
SignTool.exe sign /a /as /v /fd sha256 /ac globalsign root ca.crt /tr http://timestamp.digicert.com /td SHA256 driver.sys
We then create an InstallShield program to install our driver on the customers computer. This is very important because many of our customers do not connect their computers to the Internet.
Now since April 15, 2021 Windows says that it doesn't recognize the WHQL of our digital certificate.
When I asked GlobalSign about this problem they sent us a .cer file and says that we need to create a Hardware Developer account and to upload that file to the newly created account.
If I am understanding the process correctly this means that when we install our driver on the customers computer Windows then checks the Digital Certificate that was used to sign the Kernel Mode driver with the one on record with the Hardware Developers Program. If they both match Windows will allow the driver to load.
This means that the computer has to be connected to the Internet.
I don't want to get into great details about why our customers don't want their computers connected to the Internet. Some don't want to do it because they don't want their IT Department making changes to the computer. Some don't want to do it because it might affect the timing of the experiments they are running.
The end result is that we need a way to sign our Kernel Mode drivers so that it will work on computer that are not connected to the Internet. We used to have this ability before April 15, 2021 and there must be a way to do it now.
Please somebody tell me what I must do.