Hardware Dev Center

Release-Signing Driver Packages

In this section, a computer that signs drivers for release on Windows Vista and later versions of Windows is referred to as the signing computer. The signing computer must be running Windows XP SP2 or later versions of the Windows operating system. For example, a driver intended for release on Windows 7 can be signed on a computer that is running Windows Vista.

In addition, the signing computer must have the driver signing tools installed.

Note  You must use the version of the SignTool tool that is provided in the Windows Vista and later versions of the Windows Driver Kit (WDK). Earlier versions of this tool do not support the kernel-mode code signing policy for Windows Vista and later versions of Windows.

To comply with the kernel-mode code signing policy and the Plug and Play (PnP) device installation signing requirements of Windows Vista and later versions of Windows, sign a driver for release as follows, based on the type of driver.

Note   The Windows code-signing policy requires that a signed catalog file for a driver be installed in the system component and driver database. PnP device installation automatically installs the catalog file of a PnP driver in the driver database. However, if you use a signed catalog file to sign a non-PnP driver, the installation application that installs the driver must also install the catalog file in the driver database.

PnP Kernel-Mode Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions of Windows Vista and later versions of Windows, embed a signature in the boot-start driver file as follows:

  1. Release-sign the driver file with a Software Publisher Certificate (SPC).

  2. Verify the SPC signature of the driver file.

Starting with Windows Vista, embedding a signature in a boot-start driver file is optional for 32-bit versions of Windows. Although Windows will check whether a kernel-mode driver file has an embedded signature, an embedded signature is not required.

To comply with the PnP device installation signing requirements of Windows Vista and later versions of Windows, you must obtain a signed catalog file or sign the catalog file of the driver package. If a driver file will also include an embedded signature, embed the signature in the driver file before signing the driver package's catalog file.

If the Hardware Certification Kit (HCK) has a test program for the driver, obtain a WHQL Release Signature for the driver package. If the HCK does not have a test program for the driver, create a catalog file and sign the catalog file as follows:

Signing a catalog file for 64-bit versions

You can sign a catalog file for 64-bit operating systems as follows:

  1. Sign the catalog file with the SPC that was used to embed a signature in the driver file.

  2. Verify the SPC signature of the catalog file. You can verify the signature of a catalog file or you can verify the signatures of the individual file entries in the catalog file.

Signing a catalog file for 32-bit versions

You can either sign the catalog file with an SPC, as described in the section for 64-bit versions, or with a commercial release certificate as follows:

  1. Sign the catalog file with a commercial release certificate.

  2. Verify the signature of the catalog file. You can verify the signature of a catalog file or you can verify the signatures of the individual file entries in the catalog file.

Non-PnP Kernel-Mode Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions of Windows Vista and later versions of Windows, embed a signature in a boot-start driver file as follows:

  1. Release-sign the driver file with an SPC.

  2. Verify the SPC signature of the driver file.

Starting with Windows Vista, embedding a signature in a boot-start driver file is optional for 32-bit versions of Windows. Although Windows will check whether a kernel-mode driver file has an embedded signature, an embedded signature is not required.

The PnP device installation signing requirements do not apply to non-PnP drivers.

PnP Kernel-Mode Driver that is not a Boot-Start Driver

The kernel-mode code signing policy on 64-bit versions of Windows Vista and later versions of Windows does not require a non-boot PnP driver have an embedded signature. However, if the driver file will include an embedded signature, embed the signature in the driver file before signing the driver package's catalog file.

To comply with the PnP device installation signing requirements, you must obtain a signed catalog file or sign the catalog file of the driver package.

If the Hardware Certification Kit (HCK) has a test program for the driver, obtain a WHQL release signature for the driver package. If the HCK does not have a test program for the driver, create a catalog file and sign the catalog file in the same manner as described in this section for signing the catalog file of a PnP kernel-mode boot-start driver.

Non-PnP Kernel-Mode Driver that is not a Boot-Start Driver

To comply with the kernel-mode code signing policy of 64-bit versions Windows Vista and later versions of Windows , embed a signature in the driver file or sign a catalog file for the driver package.

Starting with Windows Vista, embedding a signature in a driver file is optional for 32-bit versions of Windows. Although Windows will check whether a kernel-mode driver file has an embedded signature, an embedded signature is not required.

The PnP device installation signing requirements do not apply to non-PnP drivers.

Note   Using embedded signatures is generally simpler and more efficient than by using a signed catalog file. For more information about the advantages and disadvantages of using embedded signatures versus signed catalog files, see Test Signing a Driver.

To embed a release signature in a file for a non-PnP kernel-mode driver that is not a boot-start driver, follow these steps:

  1. Sign the driver file with an SPC.

  2. Verify the signature of the driver file.

To release-sign a catalog file for a non-PnP kernel-mode driver that is not a boot-start driver, follow these steps:

  1. Create a catalog file for the non-PnP driver.

  2. Sign the catalog file with an SPC.

  3. Verify the SPC signature of the catalog file.

If this type of driver has a signed catalog file instead of an embedded signature, the installation application that installs the driver must install the catalog file in the system component and driver database. For more information, see Installing a Release-Signed Catalog File for a Non-PnP Driver.

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft