LSA plugin or UEFI firmware signing requirements
You can use the Partner Center hardware dashboard to digitally sign Local Security Authority (LSA) plugins and UEFI firmware binaries, to enable them to be installed on windows devices.
LSA plugins and UEFI firmware
- LSA plugins and UEFI firmware signing requires an extended validation (EV) code signing certificate.
- All LSA and UEFI submissions must be a single, signed CAB library file, and contain all files required for signing.
- This file should contain no folders and only the binaries or .efi files to be signed.
- UEFI FIRMWARE ONLY - The CAB file signature must match the Authenticode certificate for your organization.
- Depending on your certificate provider, you may need to use SignTool or an external process.
- EFI ByteCode (EBC) files must be compiled using the /ALIGN:32 flag for processing to succeed.
- UEFI FIRMWARE ONLY - If your submission is a shim, you must submit a completed template for review to the shim review board. The shim review process is described at https://github.com/rhboot/shim-review/.
- LSA PLUGINS ONLY - The CAB file signature must match the EV code signing certificate for your organization.
Next Steps
To learn how to file sign an LSA plugin or UEFI firmware in the hardware dashboard:
For more information on Microsoft UEFI signing policies and pre-submission testing see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for