Signing a Driver for Public Release
Before you release a driver package to the public, we recommend that you submit the package for certification. For more information, see Windows Hardware Certification and Hardware Dashboard Services. To submit a driver package for certification, you must sign the package with a certificate that you obtain from a trusted certification authority like VeriSign. For more information, see Get a VeriSign Certificate. You will also need a cross certificate, which is provided by Microsoft.
Suppose you have obtained a pair of files from Verisign: a private key file (PVK) and a software publishing certificate (SPC). Also suppose you have a Microsoft Visual Studio solution that contains a driver project named MyDriver and a driver package project named MyDriver Package. To sign your driver package, follow these steps.
Use the Pvk2Pfx tool to create a Personal Information Exchange (PFX) certificate. The Pvk2Pfx tool takes your PVK and SPC files as input and creates a single PFX file. For this exercise, assume that your PFX file is named MyCert.pfx.Note Once you have created your PFX file, you can reuse it for other driver projects and on other driver development computers.
- To determine which cross certificate you need, see Cross-Certificates for Kernel Mode Code Signing. Verify that the required cross certificate is in $(BASEDIR)\CrossCertificates, where $(BASEDIR) is the base directory of the Windows kits (for example c:\Program Files (x86)\Windows Kits\8.0\CrossCertificates). If the required cross certificate is not there, download the cross certificate from Microsoft, and copy it to $(BASEDIR)\CrossCertificates.
In Visual Studio, open the solution that contains the MyDriver and MyDriver Package projects. If the Solution Explorer window is not already open, choose Solution Explorer from the View menu. In the Solution Explorer window, right-click the package project, MyDriver Package, and choose Properties.
In the property pages for the package, navigate to Configuration Properties > Driver Signing > General. In the Sign Mode drop-down list, select Production Sign. For Production Certificate, do one of the following:
- Enter the path to your signing certificate (for example c:\Certs\MyCert.pfx).
- Choose Select From File, and browse to your signing certificate.
Choose Select From Store and choose a certificate that you previously imported into a certificate store.Note To import a certificate into a store, right-click the certificate file (PFX file), and choose Install PFX. Follow the instructions in the Certificate Import Wizard.Note If you decide to use a different certificate at a later time, be sure that your new certificate gets imported into the certificate store. If you choose Select From File and browse to your new certificate, the new certificate will be automatically imported into the certificate store. However, if you manually enter the path to your new certificate, it will not be automatically imported into the certificate store. In that case, you must right-click your new certificate file and choose Install PFX.
On the Driver Signing > General property page, for TimeStampServer, select one of the time stamp servers in the drop-down list.Note Using one of the time stamp servers in the drop-down list requires that you be connected to the Internet when you build your driver package. If you need to be disconnected from the Internet when you build your driver package, clear the TimeStampServer field.
In the property pages for the package, navigate to Configuration Properties > Inf2Cat > General. In the Run Inf2Cat drop-down list, select Yes.
- Close the property pages for the package.
- Right-click the driver project, MyDriver, and choose Properties
In the property pages for the driver, navigate to Configuration Properties > Driver Signing > General. Set TimeStampServer to the same value that you used in the driver package properties. Set Sign Mode to Production Sign, and set Production Certificate to the same value that you used in the driver package properties.
- When you are ready to build your driver package, press F5. Visual Studio will automatically sign your package and your driver file. If you have configured deployment, Visual Studio will also deploy your signed driver package to a test computer. For more information, see Provision a computer for driver deployment and testing (WDK 8.1).
After you build your solution, navigate in File Explorer to the folder that contains your driver package. One of the files in the package is a catalog file. The catalog file contains the digital signature for the package. For an example of viewing the files in a signed package, see Writing a KMDF driver based on a template.
When your driver package passes the certification tests, it can be signed by Windows Hardware Quality Labs (WHQL). If your driver package is signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms.
A driver package contains several files. Typically a driver package has one or more driver files, an information file (INF file), and a catalog file. The catalog file contains information about the other files in the package. When you sign the catalog file, the signature in the catalog file serves as the signature for the entire driver package. In other words, signing the catalog file is the same as signing the driver package.
In most cases, it is sufficient to sign the driver package, and it is not necessary to sign individual driver files. Sometimes, however, you need to sign both the package and the individual driver files. For example, boot-start driver files must be individually signed. Signing an individual driver file is referred to as embedding a signature in the driver file.
Suppose you have a Visual Studio solution that contains a driver project named MyDriver and a driver package project named MyDriver Package. Visual Studio provides two sets of property pages: one for My Driver and one for My Driver Package. To sign the driver package, set the Driver Signing properties of My Driver Package. To embed a signature in the individual driver file, set the Driver Signing properties of My Driver.
When you set the driver package properties for production signing, remember to adjust the signing properties of the individual driver files accordingly. Either turn off signing for the individual driver files, or set the individual driver files to use the same certificate that you specified for the package.
In some cases, you might want to sign a driver package with two different signatures. For example, suppose you want your driver to run on Windows 7 and Windows 8. Windows 8 supports signatures created with the SHA256 hashing algorithm, but Windows 7 does not. For Windows 7, you need a signature created with the SHA1 hashing algorithm.
Suppose you want to build and sign a driver package that will run on Windows 7 and Windows 8 on x64 hardware platforms. You can sign your driver package with a primary signature that uses SHA1. Then you can append a secondary signature that uses SHA256. You can use the same certificate for both signatures, or you can use separate certificates. Here are the steps to create the two signatures using Visual Studio.
- In the Solution Explorer window, right-click Solution SolutionName, and choose Configuration Manager. For the driver project and the package project, set Configuration to Win7 Release, and set Platform to x64.
- Open the property pages for the driver package. Navigate to Configuration Properties > Driver Signing > General. In the Sign Mode drop-down list, select Production Sign. For Production Certificate, enter the path to your signing certificate.
- In the property pages for the driver package, navigate to Configuration Properties > Custom Build Step > General. For Description, select Performing Custom Build Step. For Execute After, select DriverProductionSign. For Command Line, enter this command.
Signtool sign /fd sha256 /ph /as /sha1 XX...XX $(TargetPath)
where XX...XX is the hash of the certificate you are using for the the secondary signature.Note To see the hash (also called the thumb print) of a certificate, open a Command Prompt window and navigate to the directory that contains your certificate. Enter the command certutil -dump CertName.pfx, where CertName.pfx is the name of your certificate.
- Signing a Driver
- Windows Hardware Certification
- Hardware Dashboard Services
- Driver Signing Requirements for Windows
- Cross-Certificates for Kernel Mode Code Signing
- Kernel-Mode Code Signing Walkthrough
- Driver Signing
- Installing a Boot-Start Driver
- Tools for Signing Drivers