Internal - Temporary Code Signing Certificate for Signing AV Binaries

March 8, 2021

Microsoft is contacting MVI (Microsoft Virus Initiative) Partners about updates in the process of signing AV binaries. They are pushing the MVI partners to adapt Azure Code Signing (ACS) as a long-time solution. Meanwhile, they are directing the MVI Partners to Sectigo for obtaining temporary Code Signing Certificates for signing the AV binaries.

The Following is what the MVI Partner receives from Microsoft (Shared by Microsoft under NDA).
=================================================================================
Long Term: Azure Code Signing

  • Microsoft is targeting a May KB update to modify the code integrity requirements.
  • Client update targets: Windows 10 20H2, 20H1(2004), 19H(1909), RS5(1809),RS4(1803), RS1(1607), TH1(1507), Win 8.1, Win 7 SP1
  • Devices will trust newly signed content with Azure Code Sign cert and legacy cross-signed content.

Temporary Certificate: Obtaining a Temporary Cross-Signed cert

  • You must be an "Active" MVI partner to be approved for a temporary cert
  • Request a Commercial Release Certificate from a Cross-Signed CA
  • These certificates will have an expiration of Dec 1, 2021
  • Note: This cert MUST NOT be used for signing drivers.
=================================================================================

What should We recommend?
We should be recommending the customers to obtain a standard Code Signing Certificate (OV) for their requirement. Microsoft recommends them to obtain the certificate before July 1, 2021.

What does the word “temporary” refers?
As per Microsoft, the word “temporary” means that the certificate will no longer be valid after December 1,2021.

Are we reducing the term of certificate?
We are not reducing the term of the certificate now. It will be decided later in accordance with Microsoft terms. Microsoft have suggested they may revoke these certificates, or the Cross-Signed CA, later this year. They have not decided here yet - further questions from the customer for that should be pointed to Microsoft directly.

For further clarifications about queries from customers / account managers
please reach [email protected]

Note: They can download the Cross-Signed CA from https://crt.sh/?id=162879059.