One of my toy projects require IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY in PE header to run. I've been testing it with test signing on, but I'm considering buying a cert if I can afford.
The documents on this are too old, so I'm not sure whether the application would be signed with a cross-signing cert which is used for kernel-mode signing or an Authenticode code signing cert. Though the latter is much cheaper, making a try is still not affordable to me.
This article only talks about signing procudures, but not cert requirements. This one suggests using the Microsoft Azure Code Signing project, while not explaining details. Raxi on Stack Overflow, in this question, claims that Authenticode signing would be enough, but I cannot find this from references.
So is Authenticode signing enough to have an executable with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY run?
Thanks to anyone knowing about this and kind enough to help.
I have an Authenticode certificate, and can confirm that it's not enough to be able to successfully load PE files with that flag. I would theorically be able to if there was a cross signing chain for the root CA of my Authenticode cert, but only driver signing certificates have a root CA that Microsoft cross signs.
You would need a kernel mode driver certificate (even if you are not actually making drivers) to sign the executable with.
Supposedly, once Azure Code Signing becomes publically available (in whoever knows how long), you would be able to (at no charge) sign files in such a manner that this flag will work.