Kenrnel Mode Signing is Depreciated and must be done through Microsoft Dev Portal. See below link for details:
https://knowledge.digicert.com/alerts/Kernel-Mode.html
You can dual sign the sys file, but not the cat file as a cat file is not a PE file type.
Remember though, “To install on Windows 10, 8.1, 8, and 7, your driver package can have a single SHA1 signature.” and “SHA1 deprecation does not apply to drivers.”
https://msdn.microsoft.com/windows/hardware/drivers/develop/signing-a-driver-for-public-release
Kernel-Mode Signing with a SHA1 or SHA2 certificate:
Full documentation
Run the following commands to apply the SHA1 signature or the SHA2 signature:
- signtool sign /v /ac "DigiCert High Assurance EV Root CA.crt" /t http://timestamp.digicert.com /sha1 XXSHA1CERTTHUMBPRINTXX DRIVER.SYS
- signtool sign /v /ac "DigiCert High Assurance EV Root CA.crt" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 XXSHA256CERTTHUMBPRINTXX DRIVER.SYS
NOTE:
XXSHA1CERTTHUMBPRINTXX is the thumbprint of your SHA1 code signing certificate
XXSHA256CERTTHUMBPRINTXX is the thumbprint of your SHA2 code signing certificate
DRIVER.SYS is the drier file you want to sign.
Standard Code Signing (Kernel Mode)
Please follow all of these steps to sign correctly:
- Re-key the certificate, choose Microsoft Kernel-Mode Code for the platform: http://www.digicert.com/code-signing/re-key-code-signing-certificate.htm
- Once you receive the email to download the certificate at EMAIL, please open the link in Internet Explorer and follow these directions: http://www.digicert.com/code-signing/installing-code-signing-certificate.htm
- Next follow these directions starting at "Downloading the Code Signing Cross-Certificate": http://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
- Once you have the .pfx file and the cross-root you can run the command like this to sign the sys file:
signtool sign /v /ac "C:\test\DigiCert High Assurance EV Root CA.crt" /f "c:\path\to\mycert.pfx" /p pfxpassword /t http://timestamp.digicert.com "C:\path\to\file\file.sys"
- Then verify the signing of the sys file:
signtool verify /kp /v "C:\path\to\file\file.sys"
- Then sign the cat file (After inf2cat is used):
signtool sign /v /ac "C:\test\DigiCert High Assurance EV Root CA.crt" /f "c:\path\to\mycert.pfx" /p pfxpassword /t http://timestamp.digicert.com "C:\path\to\file\file.cat"
- Then verify the signing of the catalog file:
Signtool verify /kp /v /c "C:\path\to\file\file.cat"
We highly recommend that you download and read the Microsoft Kernel-Mode Code Signing Walkthrough document.