Test-Signing a Driver Package's Catalog File
After the catalog file for a driver package is created or updated, the catalog file can be signed through SignTool. Once signed, the digital signature stored within the catalog file is invalidated if any components of the driver package are modified.
When digitally signing a catalog file, SignTool saves the digital signature within the catalog file. The components of the driver package are not changed by SignTool. However, since the catalog file contains hashed values of the components of the driver package, the digital signature within the catalog file is maintained as long as the components hash to the same value.
SignTool can also add a time stamp to the digital signature. The time stamp allows you to determine when a signature was created and supports more flexible certificate revocation options, if necessary.
The following command line shows how to run SignTool to do the following:
Test-sign the tstamd64.cat catalog file of the ToastPkg sample driver package. For more information about how this catalog file was created, see Creating a Catalog File for Test-Signing a Driver Package.
Use the Contoso.com(Test) certificate from the PrivateCertStore for the test signature. For more information about how this certificate was created, see Creating Test Certificates.
Timestamps the digital signature through a time stamp authority (TSA).
To test-sign the tstamd64.cat catalog file, run the following command line:
Signtool sign /v /fd sha256 /s PrivateCertStore /n Contoso.com(Test) /t http://timestamp.digicert.com tstamd64.cat
Where:
The sign command configures SignTool to sign the specified catalog file, tstamd64.cat.
The /v option enables verbose operations, in which SignTool displays successful execution and warning messages.
The /fd option specifies the file digest algorithm to use for creating file signatures. The default is SHA1.
The /s option specifies the name of the certificate store (PrivateCertStore) that contains the test certificate.
The /n option specifies the name of the certificate (Contoso.com(Test)) that is installed in the specified certificate store.
The /t option specifies URL of the TSA (
http://timestamp.digicert.com) which will time stamp the digital signature.Important
Including a time stamp provides the necessary information for key revocation in case the signer's code signing private key is compromised.
tstamd64.cat specifies the name of the catalog file, which will be digitally-signed.
For more information about SignTool and its command-line arguments, see SignTool.
For more information about test-signing a driver package's catalog file, see Test-Signing a Catalog File.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for