Release-Signing a Driver Package's Catalog File

Once the catalog file for a driver package is created or updated, the catalog file can be signed through SignTool. Once signed, the digital signature stored within the catalog file is invalidated if any components of the driver package are modified.

When digitally signing a catalog file, SignTool saves the digital signature within the catalog file. The components of the driver package are not changed by SignTool. However, since the catalog file contains hashed values of the components of the driver package, the digital signature within the catalog file is maintained as long as the components hash to the same value.

SignTool can also add a time stamp to the digital signature. The time stamp lets you determine when a signature was created and supports more flexible certificate revocation options, if necessary.

The following command line shows how to run SignTool to do the following:

To release-sign the catalog file, run the following command line:

Signtool sign /v /ac MSCV-VSClass3.cer /s MyPersonalStore /n /t


  • The sign command configures SignTool to sign the specified catalog file,

  • The /v option enables verbose operations, in which SignTool displays successful execution and warning messages.

  • The /ac option specifies the name of the file which contains the cross-certificate (MSCV-VSClass3.cer) obtained from the CA. Use the full path name if the cross-certificate is not in the current directory.

  • The /s option specifies the name of the Personal certificate store (MyPersonalStore) that contains the SPC.

  • The /n option specifies the name of the SPC ( that is installed in the specified certificate store.

  • The /t option specifies URL of the TSA ( which will timestamp the digital signature.

    Important   Including a time stamp provides the necessary information for key revocation in case the signer's code signing private key is compromised.

  • specifies the name of the catalog file, which will be digitally-signed.

For more information about SignTool and its command-line arguments, see SignTool.

For more information about release-signing driver packages, see Release-Signing Driver Packages.



Send comments about this topic to Microsoft

© 2014 Microsoft