Test-Signing Driver Packages

In this section, a computer that test-signs drivers for release on Windows Vista and later versions of Windows is referred to as the signing computer. The signing computer must be running Windows XP SP2 or later versions of Windows. For example, a driver intended for release on Windows 7 can be signed on a computer running Windows Vista.

In order to use the driver signing tools, the signing computer must have the Windows Vista and later versions of the WDK installed.

Note  You must use the version of the SignTool tool that is provided in the Windows Vista and later versions of the Windows Driver Kit (WDK). Earlier versions of the SignTool do not support the kernel-mode code signing policy for Windows Vista and later versions of Windows.

To comply with the kernel-mode code signing policy and the Plug and Play (PnP) device installation signing requirements of Windows Vista and later versions of Windows, you must sign a driver during the development and test of that driver. You can sign the driver on the signing computer as follows, based on the driver type.

Note   The Windows code-signing policy requires that a signed catalog file for a driver package be installed in the system component and driver database. PnP device installation automatically installs the catalog file of a PnP driver in the driver database. However, if you use a signed catalog file to sign a non-PnP driver, the installation application that installs the driver must also install the catalog file in the driver database.

PnP Kernel-Mode Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions of Windows Vista and later versions of Windows, embed a signature in the boot-start driver file as follows:

1. Test-sign the driver file.

2. Verify the signature of the test-signed driver file.

Starting with Windows Vista, embedding a signature in a boot-start driver file is optional for 32-bit versions of Windows. Although Windows will check if a kernel-mode driver file has an embedded signature, an embedded signature is not required.

To comply with the PnP device installation signing requirements of Windows Vista and later versions of Windows, you must also test-sign a catalog file for the driver package. If a driver file will also include an embedded signature, embed the signature in the driver file before signing the driver package's catalog file.

You can submit a request to have the Windows Hardware Quality Labs (WHQL) test-sign the catalog file. Alternatively, you can test-sign a catalog file yourself with a test certificate, as follows:

1. Create a catalog file.

2. Test-sign the catalog file.

3. Verify the signature of the test-signed catalog file.

   You can verify the signature of the catalog file itself or the signature of individual files that have corresponding entries in the catalog file.

Non-PnP Kernel-Mode Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions of Windows Vista and later versions of Windows, embed a signature in a boot-start driver file as follows:

1. Test-sign the driver file.

2. Verify the signature of the test-signed driver file.

Starting with Windows Vista, embedding a signature in a boot-start driver file is optional for 32-bit versions of Windows. Although Windows will check if a kernel-mode driver file has an embedded signature, an embedded signature is not required.

The PnP device installation signing requirements do not apply to non-PnP drivers.

PnP Kernel-Mode Driver that is not a Boot-Start Driver

The kernel-mode code signing policy on 64-bit versions of Windows Vista and later versions of Windows does not require a non-boot PnP driver to have an embedded signature. However, if the driver file will include an embedded signature, embed the signature in the driver file before signing the driver package's catalog file.

For a PnP kernel-mode driver that is not a boot-start driver, signing the catalog file for the driver package complies with the kernel-mode code signing policy on 64-bit versions of Windows Vista and later versions of Windows, as well as the PnP device installation signing requirements for all versions of Windows Vista and later.

You can submit a request to have the Windows Hardware Quality Labs (WHQL) test-sign the catalog file. Alternatively, you can test-sign a catalog file yourself with a test certificate in the same manner as described in this section for test-signing the catalog file of a PnP kernel-mode boot-start driver.

Non-PnP Kernel-Mode Driver that is not a Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions of Windows Vista and later versions of Windows, embed a signature in the driver file or sign the driver package's catalog file.

Starting with Windows Vista, embedding a signature in a driver file is optional for 32-bit versions of Windows. Although Windows will check if a kernel-mode driver file has an embedded signature, an embedded signature is not required.

The PnP device installation signing requirements do not apply to non-PnP drivers.

Note   Using embedded signatures is generally simpler and more efficient than using a signed catalog file. For more information about the advantages and disadvantages of using embedded signatures versus signed catalog files, see Test Signing a Driver.

To embed a test signature in a file for a non-PnP kernel-mode driver that is not a boot-start driver

1. Test-sign the driver file.

2. Verify the signature of the test-signed driver file.

To test-sign a catalog file for a non-PnP kernel-mode driver that is not a boot-start driver

1. Create a catalog file for the non-PnP driver.

2. Test-sign the catalog file.

3. Verify the signature of the test-signed catalog file.