Driver Signing Requirements for Windows
Digital signatures allow administrators and end users who are installing Windows-based software to know whether a legitimate publisher has provided the software package.
In Windows Vista and Windows Server 2008, new features take advantage of code-signing technologies, and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code.
The following digital signature requirements apply for Windows Vista and Windows Server 2008:
- Administrator privilege is required to install unsigned kernel-mode components. This includes device drivers, filter drivers, services, and so on. This applies for all development phases, including pre-release product code and non-product code such as tests.
- x64 versions of Windows Vista and Windows Server 2008 require Kernel Mode Code Signing (KMCS) in order to load kernel-mode software.
- Components in the Windows Vista Protected Media Path (PMP) must be signed for PMP, and all other kernel-mode components must be signed by Microsoft for the Windows Logo Program (formerly "WHQL signature") or Kernel Mode Code Signing, in order to ensure access to premium content.
- Driver binaries that load at boot time ("boot start drivers") must contain an embedded signature, for both x86 and x64 versions of Windows Vista and Windows Server 2008, as described in "Kernel-Mode Code Signing Walkthrough" on this site.
- Installation packages and self-extracting executables downloaded through Internet Explorer must be digitally signed in order to run or install.
- Digital signatures are required for hardware-related drivers and other kernel components submitted for the Windows Logo Program.
- Components must be signed by a certificate that Windows "trusts" as described in the white papers on this site.
- Code Signing for Protected Media Components in Windows Vista
- Code-Signing Best Practices
- Digital Signatures for Kernel Modules on Windows
- Driver Package Integrity During PnP Device Installs
- Installing Test Builds of Inbox Drivers on Windows Vista
- Kernel-Mode Code Signing Walkthrough
- Cross-Certificates for Kernel Mode Code Signing
- "Driver Signing" in the Windows Driver Kit
- Custom Power Settings for Signed Drivers
- Driver Signing for Windows Server 2003
- How to Release-Sign File System Drivers
- Using Authenticode to Digitally Sign Driver Packages