Table of contents
Collapse the table of content
Expand the table of content

Introduction to Release-Signing

Last Updated: 7/30/2016

Driver packages should be release-signed for the following reasons:

  • To ensure the authenticity, integrity, and reliability of driver packages.

    Windows uses digital signatures to verify the identity of the publisher and to verify that the driver has not been altered since it was published.

  • To provide the best user experience by facilitating automatic driver installation.

    If a driver is not signed, the Plug and Play (PnP) driver installation policy requires that a system administrator manually authorize the installation of an unsigned driver, adding an extra step to the installation process. This extra step can be potentially confusing and bothersome to the average user.

  • To run kernel-mode drivers on 64-bit versions of Windows Vista and later versions of Windows.

    The kernel-mode code signing policy for 64-bit versions of Windows Vista and later requires that kernel-mode drivers be signed in order for the operating system to load the driver.

  • To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy. For information about PMP signing policy, see the white paper Code-signing for Protected Media Components in Windows Vista.

The Hardware Certification Kit (HCK) has test categories for a variety of device types. If a test category for the device type is included in this list, the driver publisher should obtain a WHQL release signature for the driver package.

Note On Windows Server 2003, Windows XP, and Windows 2000, the INF file from the WHQL-signed driver package must use a device setup class that is defined in %SystemRoot%/inf/Certclas.inf. Otherwise, Windows treats the driver package as unsigned.

If a driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms. WHQL signs the driver package catalog file, but does not embed signatures in driver files. If a driver is a boot-start driver for 64-bit processors, the driver publisher must also embed a signature in the kernel-mode driver files before submitting the driver package to WHQL.

If the Hardware Certification Kit (HCK) does not have a test category for your device type, you must use the following types of digital signatures to release-sign driver packages on Windows Vista and later versions of Windows:

An SPC and a commercial release certificate are collectively referred to as release certificates and a signature generated with a release certificate is referred to as a release signature.

For more information about the release-signing requirements and procedures, see Release-Signing Driver Packages.

Note To understand the steps that are involved in release-signing driver packages, see How to Release-Sign a Driver Package. This topic provides a summary of the release-signing process, and steps through many examples of release-signing by using the ToastPkg sample driver package within the Windows Driver Kit (WDK).

© 2016 Microsoft