How do I use a Kernel Mode Driver Signing Certificate to sign driver files?

The kernel-mode code signing policy requires that a kernel-mode driver be signed as follows:

  • A kernel-mode boot-start driver must have an embedded Software Publisher Certificate (SPC) This applies to any type of PnP or non-PnP kernel-mode boot-start driver.
  • A non-PnP kernel-mode driver that is not a boot-start driver must have either a catalog file with an SPC signature or the driver file must include an embedded SPC signature.
  • A PnP kernel-mode driver that is not a boot-start driver must have either an embedded SPC signature, a catalog file with a WHQL release signature, or a catalog file with an SPC signature. Although the kernel-mode code signing policy does not require that the catalog file of a PnP driver be signed, PnP device installation treats a driver assigned only if the catalog file of the driver is also signed.

Like applications, software, codes, and scripts, Kernel-Mode Drivers can also be signed using EV Code Signing Certificates. The benefit of signing Kernel-Mode Drivers is that it helps users verify that these digitally signed kernel-mode driver packages are coming from a trusted organization or company.

If it has been tampered with, the user will be notified via a warning sign at installation time.

Windows 10 now requires an EV code signing certificate for kernel-mode driver signing.

The Process of Signing with EV Code Signing Certificate

Before you start Signing Kernel-Mode Drivers Using EV Code Signing Certificate steps below need to be followed:

  1. Prepare EV Code Signing Certificate
  2. Download EV Code Signing Certificate
  3. Signing Kernel-Mode Drivers Using EV Code Signing Certificate

For Signing your Kernel-Mode Driver

  • Open a Command Prompt in admin mode.
  • Go to Windows Start and type cmd
  • Right-click on Command Prompt and click on Run as administrator
  • Run the command below in the Command Prompt

signtool sign /v /ac "C:\path\CA-Name High Assurance EV Root CA.crt" /tr http://timestamp.<CA-Name>.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\ExampleFileSigned.cat"

  • If the process was successful, you will see the response below, informing you that the program is signed and timestamped.

c:\Code>signtool sign /v /ac "C:\path\CA-Name High Assurance EV Root CA.crt" /tr http://timestamp.<CA-Name>.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\ExampleFileSigned.cat"

  • Done Adding Additional Store.
  • Successfully signed and timestamped: ExampleFileSigned.cat
CodeSignCert.com utilizes cookies to recall and process the products in shopping cart. We integrate the user's data and site traffic at some points on communications, and it helps us to develop user friendly system on our website. Accept & Close    Understand more about Cookies