获取代码签名证书Get a code signing certificate

在建立硬件开发人员中心硬件仪表板帐户之前,你需要获取代码签名证书以保护数字信息的安全。Before you can establish a Hardware Dev Center hardware dashboard account, you need to get a code signing certificate to secure your digital information. 此证书是用于建立你的公司对你所提交代码的所有权的接受标准。This certificate is the accepted standard for establishing your company’s ownership of the code you submit. 它让你可以用数字形式签署 PE 二进制文件,例如 .exe、.cab、.dll、.ocx、.msi、.xpi 和 .xap 文件。It allows you to digitally sign PE binaries, such as .exe, .cab, .dll, .ocx, .msi, .xpi and .xap files.

步骤 1:确定所需的代码签名证书类型Step 1: Determine which type of code signing certificate you need

  • Microsoft 接受来自为内核模式代码签名注册和授权(作为 Microsoft 受信任的根证书计划的一部分)的合作伙伴的标准代码签名和扩展验证 (EV) 代码签名证书。Microsoft accepts standard code signing and extended validation (EV) code signing certificates from partners enrolled and authorized for Kernel Mode Code Signing as part of the Microsoft Trusted Root Certificate Program. 有关详细信息,请参阅 http://aka.ms/rootcertPlease see http://aka.ms/rootcert for more information. 如果已具有来自某个颁发机构的批准标准或 EV 证书,则可以使用它建立硬件开发人员中心硬件仪表板帐户。If you already have an approved standard or EV certificate from one of these authorities, you can use it to establish a Hardware Dev Center hardware dashboard account. 如果没有证书,则需要购买一个新证书。If you don’t have a certificate, you’ll need to buy a new one.

  • 下表提供了每个仪表板服务的证书要求的详细信息。The table below provides the details of the Certificate requirements for each of the dashboard services.

仪表板服务/权限Dashboard service/permission 代码签名证书要求Code signing certificate requirement

Bug 管理Bug management

标准或 EVStandard or EV

DDC – 驱动程序分发中心DDC – Driver Distribution Center

标准或 EVStandard or EV

设备元数据Device Metadata

标准或 EVStandard or EV

报告数据Report Data

标准或 EVStandard or EV

提交Submissions

标准或 EVStandard or EV

WRD – Windows 远程调试WRD – Windows Remote Debugging

标准或 EVStandard or EV

LSALSA

EVEV

UEFIUEFI

EVEV

Windows 参考设计Windows Reference Design

标准或 EVStandard or EV

注意 提交后,将在今年晚些时候强制执行仅限 EV 的要求。Note Submissions will enforce the EV-only requirement later this year.

硬件开发人员中心硬件仪表板的代码签名证书Code signing certificates for Hardware Dev Center hardware dashboard

当前有两种类型的代码签名证书可用:There are two types of code signing certificates available today:

标准代码签名Standard Code Signing

  • 提供标准级别的身份验证Provides standard level of identity validation

  • 需要较短的处理时间以及较低的成本Requires shorter processing times and lower cost

  • 可用于除 LSA 和 UEFI 文件签名服务之外的所有硬件开发人员中心硬件仪表板服务。Can be used for all Hardware Dev Center hardware dashboard services except LSA, and UEFI file signing services.

  • 在 Windows 10 桌面版(家庭版、专业版、企业版和教育版)中,标准代码签名无法用于内核模式驱动程序。In Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), standard code signing cannot be used for kernel-mode drivers. 有关这些更改的详细信息,请参阅代码签名常见问题For more info about these changes, see Code Signing FAQ.

扩展验证 (EV) 代码签名Extended Validation (EV) Code Signing

  • 提供最高级别的身份验证Provides the highest level of identity validation

  • 由于扩展了验证过程,因此需要较长的处理时间以及较高的成本Requires longer processing times and higher cost due to an extensive verification process

  • 可用于所有硬件开发人员中心硬件仪表板服务,而且是 LSA 和 UEFI 文件签名服务所必需的。Can be used for all Hardware Dev Center hardware dashboard services, and is required for LSA and UEFI file signing services

  • 在 Windows 10 桌面版中,所有内核模式驱动程序都必须由硬件开发人员中心仪表板签名,并且硬件开发人员中心仪表板需要 EV 证书。In Windows 10 for desktop editions, all kernel-mode drivers must be signed by the Hardware Dev Center Dashboard and the Hardware Dev Center Dashboard requires an EV certificate. 有关这些更改的详细信息,请参阅代码签名常见问题For more info about these changes, see Code Signing FAQ.

步骤 2:购买新的代码签名证书Step 2: Buy a new code signing certificate

如果没有批准的标准或 EV 代码签名证书,可以从下列某个证书颁发机构购买证书。If you don’t have an approved standard or EV code signing certificate, you can buy one from one of the certificate authorities below.

标准代码签名证书Standard code signing certificates

扩展验证代码签名证书(对于 UEFI、内核模式驱动程序和 LSA 认证是必需的)Extended validation code signing certificates (required for UEFI, kernel-mode drivers, and LSA certifications)

步骤 3:检索代码签名证书Step 3: Retrieve code signing certificates

证书颁发机构验证你的联系信息并批准你的证书购买后,按照他们的指示来检索证书。Once the certificate authority has verified your contact information and your certificate purchase is approved, follow their directions to retrieve the certificate.

注意Note
你必须使用相同的计算机和浏览器来检索你的证书。You must use the same computer and browser to retrieve your certificate.

后续步骤Next steps

  • 如果你要设置新的硬件开发人员中心硬件仪表板帐户,请按照注册硬件计划中的步骤进行操作。If you’re setting up a new Hardware Dev Center hardware dashboard account, follow the steps in Register for the Hardware Program.

  • 如果你已设置硬件开发人员中心硬件仪表板帐户且需要续订证书,请按照更新代码签名证书中的步骤进行操作。If you’ve already set up a Hardware Dev Center hardware dashboard account and need to renew a certificate, follow the steps in Update a code signing certificate.

代码签名常见问题Code Signing FAQ

本部分提供有关 Windows 10 代码签名的常见问题的答案。This section provides answers to frequently asked questions about code signing for Windows 10. 其他代码签名信息在 Windows 硬件认证博客上提供。Additional code signing information is available on the Windows Hardware Certification blog.

HLK 测试和仪表板签名的驱动程序HLK Tested and Dashboard Signed Drivers

  • 通过 HLK 测试并经仪表板签名的驱动程序可凭借 Windows 10(包括 Windows Server 版本)在 Windows Vista 上运行。A dashboard signed driver that has passed the HLK tests will work on Windows Vista through Windows 10, including Windows Server editions. 推荐将此方法用于驱动程序签名,因为它允许将一套过程用于所有操作系统版本。This is the recommended method for driver signing, because it allows a single process for all OS versions. 此外,HLK 测试的驱动程序显示制造商严格测试其硬件,以满足 Microsoft 对于可靠性、安全性、电源效率、可维护性和性能的要求,以便提供出色的 Windows 体验。In addition, HLK tested drivers demonstrate that a manufacturer has rigorously tested their hardware to meet all of Microsoft's requirements with regards to reliability, security, power efficiency, serviceability, and performance, so as to provide a great Windows experience. 这包括兼容行业标准和遵守特定于技术的功能的 Microsoft 规范,有助于确保正确安装、部署、连接和互操作性。This includes compliance with industry standards and adherence with Microsoft specifications for technology-specific features, helping to ensure correct installation, deployment, connectivity and interoperability. 有关 HLK 的详细信息,请参阅 Windows 硬件兼容性计划For more information about the HLK, see Windows Hardware Compatibility Program.

Windows 10 桌面版证明签名Windows 10 Desktop Attestation Signing

  • 使用证明签名的仪表板签名驱动程序仅在 Windows 桌面版和更高版本的 Windows 10 中运行。A dashboard signed driver using attestation signing will only work on Windows 10 Desktop and later versions of Windows.
  • 证明签名的驱动程序仅适用于 Windows 10 桌面版;它不适用于其他版本的 Windows,例如 Windows Server 2016、Windows 8.1 或 Windows 7。An attestation signed driver will only work for Windows 10 Desktop; it will not work for other versions of Windows, such as Windows Server 2016, Windows 8.1, or Windows 7.
  • 证明签名支持 Windows 10 桌面版内核模式和用户模式驱动程序。Attestation signing supports Windows 10 Desktop kernel mode and user mode drivers. 尽管用户模式驱动程序无需由适用于 Windows 10 的 Microsoft 进行签名,但相同的证明过程可以同时用于用户和内核模式驱动程序。Although user mode drivers do not need to be signed by Microsoft for Windows 10, the same attestation process can be used for both user and kernel mode drivers.

Windows 10 早期证书过渡签名Windows 10 Earlier Certificate Transition Signing

  • 不推荐将使用 2015 年 7 月 29 日之后颁发的任何证书进行签名并且带有时间戳的驱动程序用于 Windows 10。A driver signed with any certificate issued after July 29th, 2015, with time stamping, is not recommended for Windows 10.
  • 使用在 2015 年 7 月 29 日之后到期的任何证书进行签名并且没有时间戳的驱动程序将在 Windows 10 上运行,直到该证书到期。A driver signed with any certificate that expires after July 29th, 2015, without time stamping, will work on Windows 10 until the certificate expires.

交叉签名和 SHA-256 证书Cross-Signing and SHA-256 Certificates

交叉签名介绍了使用 Microsoft 信任的证书颁发机构 (CA) 颁发的证书对某个驱动程序进行签名的过程。Cross-signing describes a process where a driver is signed with a certificate issued by a Certificate Authority (CA) that is trusted by Microsoft. 有关详细信息,请参阅交叉证书概述For more information, see Cross-Certificates Overview.

  • Windows 8 和更高版本均支持 SHA-256。Windows 8 and later versions support SHA-256.
  • 修补后的 Windows 7 支持 SHA-256。Windows 7, if patched, supports SHA-256. 如果需要支持运行 Windows 7 的未修补的设备,则需要使用 SHA-1 证书进行交叉签名,或提交到仪表板以进行签名。If you need to support unpatched devices that run Windows 7, you need to either cross-sign with a SHA-1 certificate or submit to the Dashboard for signing. 否则,可以使用 SHA-1 或 SHA-2 证书进行交叉签名,或创建 HLK/HCK 提交以进行签名。Otherwise, you can either cross-sign with SHA-1 or SHA-2 certificate or create an HLK/HCK submission for signing.
  • 因为 Windows Vista 不支持 SHA-256,所以需要使用 SHA-1 证书进行交叉签名,或创建 HLK/HCK 提交以进行 Windows Vista 驱动程序签名。Because Windows Vista doesn’t support SHA-256, you need to either cross-sign with a SHA-1 certificate or create an HLK/HCK submission for Windows Vista driver signing.
  • 在 2015 年 7 月 29 日之前颁发的使用 SHA-256 证书(包括 EV 证书)进行交叉签名的驱动程序将在 Windows 8 和更高版本上运行。A driver cross-signed with a SHA-256 certificate (including an EV certificate) issued prior to July 29th, 2015 will work on Windows 8 and later. 它不会在 Windows Vista 或 Windows Server 2008 上运行。It will not work on Windows Vista or Windows Server 2008.
  • 在 2015 年 7 月 29 日之前颁发的使用 SHA-256 证书(包括 EV 证书)进行交叉签名的驱动程序将在 Windows 7 或 Server 2008 R2 上运行,前提是已应用在今年较早时候通过 Windows 更新颁发的修补程序。A driver cross-signed with a SHA-256 certificate (including an EV certificate) issued prior to July 29th, 2015 will work on Windows 7 or Server 2008R2 if the patch issued through Windows Update earlier this year has been applied. 有关详细信息,请参阅适用于 Windows 7 和 Windows Server 2008 R2 的 SHA-2 哈希算法的可用性Microsoft 安全公告:适用于 Windows 7 和 Windows Server 2008 R2 的 SHA-2 代码签名支持的可用性:2015 年 3 月 10 日For more information, see Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 and Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015.
  • 使用在 2015 年 7 月 29 日前颁发的 SHA-1 证书进行交叉签名的驱动程序可以在从 Windows Vista 到 Windows 10 的所有平台上运行。A cross-signed driver using a SHA-1 certificate issued prior to July 29th, 2015 will work on all platforms starting with Windows Vista through Windows 10.
  • 不推荐将使用在 2015 年 7 月 29 日后颁发的 SHA-1 或 SHA-256 证书进行交叉签名的驱动程序用于 Windows 10。A cross-signed driver using a SHA-1 or SHA-256 certificate issued after July 29th, 2015 is not recommended for Windows 10.
  • 有关移动到 SHA-256 证书的工作的详细信息,请参阅验证码签名和时间戳的 Windows 强制For more information about the effort to move to SHA-256 Certificates, see Windows Enforcement of Authenticode Code Signing and Timestamping

Device GuardDevice Guard

  • 企业可以实现某项设备保护策略,以使用 Windows 10 企业版修改驱动程序签名要求。Enterprises may implement a device guard policy to modify the driver signing requirements using Windows 10 Enterprise edition. Device Guard 提供企业定义的代码完整性策略,该策略可配置为要求至少一个证明签名的驱动程序。Device Guard provides an enterprise-defined code integrity policy, which may be configured to require at least an attestation-signed driver. 有关 Device Guard 的详细信息,请参阅 Device Guard 认证和合规性For more information about Device Guard, see Device Guard certification and compliance.

Windows ServerWindows Server

  • 仪表板不会接受证明的设备,并且会筛选用于 Windows Server 2016 的驱动程序签名提交。The dashboard will not accept attested device and filter driver signing submissions for Windows Server 2016.
  • 仪表板仅对设备进行签名,并且筛选成功通过 HLK 测试的驱动程序。The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
  • Windows Server 2016 仅加载成功通过 HLK 测试的仪表板签名的驱动程序。Windows Server 2016 will only load dashboard signed drivers that have successfully passed the HLK tests.

EV 证书EV Certs

  • 截止到 2015 年 10 月 31 日,你的 Sysdev 仪表板帐户必须关联至少一个 EV 证书,才能提交供证明签名的二进制文件,或提交供 HLK 认证的二进制文件。As of October 31, 2015, your Sysdev dashboard account must have at least one EV certificate associated with it to submit binaries for attestation signing or to submit binaries for HLK certification.
  • 在 2016 年 5 月 1 日前,可以使用 EV 证书或现有标准证书进行签名。You can sign with either your EV certificate or your existing standard certificates until May 1, 2016. 在 2016 年 5 月 1 日后,需要使用 EV 证书才能对提交的 cab 文件进行签名。After May 1, 2016, you need to use an EV certificate to sign the cab file that is submitted.
  • 无需对提交的二进制文件本身进行签名。The submitted binaries themselves do not need to be signed. 仅需要使用 EV 证书对提交的 cab 文件进行签名。Only the submission cab file needs to be signed with an EV certificate.

操作系统支持摘要OS Support Summary

此表总结了 Windows 的驱动程序签名要求。This table summarizes the driver signing requirements for Windows.

已签名的证明仪表板Attestation Dashboard Signed 已通过 HLK 测试的已签名仪表板HLK Test Passed Dashboard Signed 使用在 2015 年 7 月 29 日前颁发的 SHA-1 证书进行交叉签名Cross-signed using a SHA-1 certificate issued prior to July 29, 2015
Windows VistaWindows Vista No Yes Yes
Windows 7Windows 7 No Yes Yes
Windows 8/8.1Windows 8 / 8.1 No Yes Yes
Windows 10Windows 10 Yes Yes Yes
Windows 10 - DG 已启用Windows 10 - DG Enabled *配置从属*Configuration Dependent *配置从属*Configuration Dependent *配置从属*Configuration Dependent
Windows Server 2008 R2Windows Server 2008 R2 No Yes Yes
Windows Server 2012 R2Windows Server 2012 R2 No Yes Yes
Windows Server 2016Windows Server 2016 No Yes Yes
Windows Server 2016 – DG 已启用Windows Server 2016 – DG Enabled *配置从属*Configuration Dependent *配置从属*Configuration Dependent *配置从属*Configuration Dependent
Windows IoT 企业版Windows IoT Enterprise Yes Yes Yes
Windows IoT 企业版 - DG 已启用Windows IoT Enterprise- DG Enabled *配置从属*Configuration Dependent *配置从属*Configuration Dependent *配置从属*Configuration Dependent
Windows IoT 核心版(1)Windows IoT Core(1) 是(不需要)Yes (Not Required) 是(不需要)Yes (Not Required) 是(交叉签名也适用于 2015 年 7 月 29 日后颁发的证书)Yes (Cross signing will also work for certificates issued after July 29, 2015)

*配置从属 – 通过 Windows 10 企业版,组织可以使用 Device Guard 来定义自定义驱动程序签名要求。*Configuration Dependent –With Windows 10 Enterprise edition, organizations can use Device Guard to define custom driver signing requirements. 有关 Device Guard 的详细信息,请参阅 Device Guard 认证和合规性For more information about Device Guard, see Device Guard certification and compliance.

(1) 制造商生成装有 IoT 核心版的零售产品(即不用于开发用途)需要驱动程序签名。(1) Driver signing is required for manufacturers building retail products (i.e. for a non-development purpose) with IoT Core. 有关批准的证书颁发机构 (CA) 列表,请参阅适用于内核模式代码签名的交叉证书For a list of approved Certificate Authorities (CAs), see Cross-Certificates for Kernel Mode Code Signing. 请注意,如果 UEFI 安全启动已启用,则必须对驱动程序进行签名。Note that if UEFI Secure Boot is enabled, then drivers must be signed.

向 Microsoft 发送有关该主题的评论Send comments about this topic to Microsoft