How do I use a Kernel Mode Driver Signing Certificate to sign driver files?
The kernel-mode code signing policy requires that a kernel-mode driver be signed as follows:
- A kernel-mode boot-start driver must have an embedded Software Publisher Certificate (SPC) This applies to any type of PnP or non-PnP kernel-mode boot-start driver.
- A non-PnP kernel-mode driver that is not a boot-start driver must have either a catalog file with an SPC signature or the driver file must include an embedded SPC signature.
- A PnP kernel-mode driver that is not a boot-start driver must have either an embedded SPC signature, a catalog file with a WHQL release signature, or a catalog file with an SPC signature. Although the kernel-mode code signing policy does not require that the catalog file of a PnP driver be signed, PnP device installation treats a driver assigned only if the catalog file of the driver is also signed.
Like applications, software, codes, and scripts, Kernel-Mode Drivers can also be signed using EV Code Signing Certificates. The benefit of signing Kernel-Mode Drivers is that it helps users verify that these digitally signed kernel-mode driver packages are coming from a trusted organization or company.
If it has been tampered with, the user will be notified via a warning sign at installation time.
Windows 10 now requires an EV code signing certificate for kernel-mode driver signing.
The Process of Signing with EV Code Signing Certificate
Before you start Signing Kernel-Mode Drivers Using EV Code Signing Certificate steps below need to be followed:
- Prepare EV Code Signing Certificate
- Download EV Code Signing Certificate
- Signing Kernel-Mode Drivers Using EV Code Signing Certificate
For Signing your Kernel-Mode Driver
- Open a Command Prompt in admin mode.
- Go to Windows Start and type cmd
- Right-click on Command Prompt and click on Run as administrator
- Run the command below in the Command Prompt
signtool sign /v /ac "C:\path\CA-Name High Assurance EV Root CA.crt" /tr http://timestamp.<CA-Name>.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\ExampleFileSigned.cat"
- If the process was successful, you will see the response below, informing you that the program is signed and timestamped.
c:\Code>signtool sign /v /ac "C:\path\CA-Name High Assurance EV Root CA.crt" /tr http://timestamp.<CA-Name>.com /td sha256 /fd sha256 /s my /n "Subject Name" "c:\path\to\ExampleFileSigned.cat"
- Done Adding Additional Store.
- Successfully signed and timestamped: ExampleFileSigned.cat
Buy EV Code Signing Certificate at Only $219 Per Year