LSA plugin or UEFI firmware signing requirements
LSA plugins and UEFI firmware
- LSA plugins and UEFI firmware signing requires an extended validation (EV) code signing certificate.
- All LSA and UEFI submissions must be a single, signed CAB library file, and contain all files required for signing.
- This file should contain no folders and only the binaries or .efi files to be signed.
- UEFI FIRMWARE ONLY - The CAB file signature must match the Authenticode certificate for your organization.
- Depending on your certificate provider, you may need to use SignTool or an external process.
- EFI ByteCode (EBC) files must be compiled using the /ALIGN:32 flag for processing to succeed.
- UEFI FIRMWARE ONLY - If your submission is a shim, you must submit a completed template for review to the shim review board. The shim review process is described at https://github.com/rhboot/shim-review/.
- LSA PLUGINS ONLY - The CAB file signature must match the EV code signing certificate for your organization.
To learn how to file sign an LSA plugin or UEFI firmware in the hardware dashboard:
For more information on Microsoft UEFI signing policies and pre-submission testing see: