11.3. Windows Digital Driver Signing and Certification

11.3.1. Overview

Before distributing your driver, you may digitally sign it using Microsoft's Authenticode mechanism, and/or certify it by submitting it to Microsoft's Windows Certification Program (HLK/HCK/WLP).
Some Windows operating systems, such as Windows 7, do not require installed drivers to be digitally signed or certified. Only a popup with a warning will appear There are, however, advantages to getting your driver digitally signed or fully certified, including the following:

  • Driver installation on systems where installing unsigned drivers has been blocked
  • Avoiding warnings during driver installation
  • Full pre-installation of INF files [11.1] on Windows 7 and higher

64-bit versions of Windows 8 and higher require Kernel-Mode Code Signing (KMCS) of software that loads in kernel mode. This has the following implications for WinDriver-based drivers:

  • Drivers that are installed via an INF file must be distributed together with a signed catalog file (see details in Section 11.3.2).

During driver development, please configure your Windows OS to temporarily allow the installation of unsigned drivers.

For more information about digital driver signing and certification, refer to the following documentation in the Microsoft Development Network (MSDN) library:

Some of the documentation may still use old terminology. For example, references to the Windows Logo Program (WLP) or to the Windows Hardware Quality Labs (WHQL) or to the Windows Certification Program or to the Windows Hardware Certification Kit (HCK) should be replaced with the Windows Hardware Lab Kit (HLK), and references to the Windows Quality Online Services (Winqual) should be replaced with the Windows Dev Center Hardware Dashboard Services (the Hardware Dashboard). Authenticode Driver Signature

The Microsoft Authenticode mechanism verifies the authenticity of a driver's provider. It allows driver developers to include information about themselves and their code with their programs through the use of digital signatures, and informs users of the driver that the driver's publisher is participating in an infrastructure of trusted entities.
The Authenticode signature does not, however, guarantee the code's safety or functionality.

The WinDriver\redist\windrvr1260.sys driver has an Authenticode digital signature. Windows Certification Program

Microsoft's Windows Certification Program (previously known as the Windows Logo Program (WLP)), lays out procedures for submitting hardware and software modules, including drivers, for Microsoft quality assurance tests. Passing the tests qualifies the hardware/software for Microsoft certification, which verifies both the driver provider's authenticity and the driver's safety and functionality.

To digitally sign and certify a device driver, a Windows Hardware Lab Kit (HLK) package, which includes the driver and the related hardware, should be submitted to the Windows Certification Program for testing, using the Windows Dev Center Hardware Dashboard Services (the Hardware Dashboard).

Jungo's professional services unit provides a complete Windows driver certification service for Jungo-based drivers. Professional engineers efficiently perform all the tests required by the Windows Certification Program, relieving customers of the expense and stress of in-house testing. Jungo prepares an HLK / HCK submission package containing the test results, and delivers the package to the customer, ready for submission to Microsoft.
For more information, refer to http://www.jungo.com/st/services/windows_drivers_certification/.

For detailed information regarding Microsoft's Windows Certification Program and the certification process, refer to the MSDN Windows Hardware Certification page — http://msdn.microsoft.com/library/windows/hardware/gg463010.aspx — and to the documentation referenced from that page, including the MSDN Windows Dev Center — Hardware Dashboard Services page page — http://msdn.microsoft.com/library/windows/hardware/gg463091.

11.3.2. Driver Signing and Certification of WinDriver-Based Drivers

As indicated above [], The WinDriver\redist\windrvr1260.sys driver has an embedded Authenticode signature. Since WinDriver's kernel module (windrvr1260.sys) is a generic driver, which can be used as a driver for different types of hardware devices, it cannot be submitted to Microsoft's Windows Certification Program as a standalone driver. However, once you have used WinDriver to develop a Windows driver for your selected hardware, you can submit both the hardware and driver for Microsoft certification, as explained below.

The driver certification and signature procedures — either via Authenticode or the Windows Certification Program — require the creation of a catalog file for the driver. This file is a sort of hash, which describes other files. The signed windrvr1260.sys driver is provided with a matching catalog file — WinDriver\redist\windrvr1260.cat. This file is assigned to the CatalogFile entry in the windrvr1260.inf file (provided as well in the redist directory). This entry is used to inform Windows of the driver's signature and the relevant catalog file during the driver's installation.

When the name, contents, or even the date of the files described in a driver's catalog file is modified, the catalog file, and consequently the driver signature associated with it, become invalid. Therefore, if you select to rename the windrvr1260.sys driver [11.2] and/or the related windrvr1260.inf file, the windrvr1260.cat catalog file and the related driver signature will become invalid.

In addition, when using WinDriver to develop a driver for your Plug-and-Play device, you normally also create a device-specific INF file that registers your device to work with the windrvr1260.sys driver module (or a renamed version of this driver). Since this INF file is created at your site, for your specific hardware, it is not referenced from the windrvr1260.cat catalog file and cannot be signed by Jungo a priori.

When renaming windrvr1260.sys and/or creating a device-specific INF file for your device, you have two alternative options regarding your driver's digital signing:

  • Do not digitally sign your driver. If you select this option, remove or comment-out the reference to the windrvr1260.cat file from the windrvr1260.inf file (or your renamed version of this file).
  • Submit your driver to the Windows Certification Program, or have it Authenticode signed.
    Note that while renaming WinDriver\redist\windrvr1260.sys nullifies the driver's digital signature, the driver is still compliant with the certification requirements of the Windows Certification Program.

    To digitally sign/certify your driver, follow these steps:

    • Create a new catalog file for your driver, as explained in the Windows Certification Program documentation. The new file should reference both windrvr1260.sys (or your renamed driver) and any INF files used in your driver's installation.
    • Assign the name of your new catalog file to the CatalogFile entry in your driver's INF file(s). (You can either change the CatalogFile entry in the windrvr1260.inf file to refer to your new catalog file, and add a similar entry in your device-specific INF file; or incorporate both windrvr1260.inf and your device INF file into a single INF file that contains such a CatalogFile entry).
    • Submit your driver to Microsoft's Windows Certification Program or for an Authenticode signature. If you wish to submit your driver to the Windows Certification Program, refer to the additional guidelines in Section

      Note that many WinDriver customers have already successfully digitally signed and certified their WinDriver-based drivers. HCK Test Notes

As indicated in Microsoft's documentation, before submitting the driver for testing and certification you need to download the Windows Hardware Certification Kit (HCK), and run the relevant tests for your hardware/software. After you have verified that you can successfully pass the HCK tests, create the required logs package and proceed according to Microsoft's documentation. For more information, refer to the MSDN Windows Hardware Certification Kit (HCK) page — http://msdn.microsoft.com/library/windows/hardware/hh833788.