windowsdriverdevice-drivercode-signing-certificatedriver-signing

How to Sign My Driver? And is it necessary?


I'm a little bit confused about windows certification. I want to ask some questions, one of my questions is that, Is it necessary driver sign by a trusted third party company for windows doesn't show a dialog box about security during installation? I'm asking this question related this paper that its link is "http://msdn.microsoft.com/en-us/library/windows/hardware/ff544703(v=vs.85).aspx" on msdn.

Actually my goal is during installation my product, windows doesnt prompt this dialog box. for it, does it necessary pass HCK tests?

another question is that, What is the Windows Logo?

my last question is, can I make a third party trusted certificate with a makecert.exe?

thanks a lot and best regards.

Tunahan


Solution

  • Having a signed application/driver will remove the warning that you are referring to. In Windows 8 you MUST sign your code or it will be blocked from installing (unless you disable driver signature check).

    You need to buy a code signing certificate from a third party vendor like Digicert or Thawte. Since you're making drivers, you need to determine what type of certificate is required. If this is a kernel mode driver then you need a special kind of certificate. It is usually different than a certificate used to sign a user space application. On a side note, if you sign a user space application the user will still be prompted to allow but just won't have the scary red warning image.

    So, to answer your questions

    1. Is it necessary driver sign by a trusted third party company for windows doesn't show a dialog box about security during installation?

    Yes.

    2.

    does it necessary pass HCK tests?

    Yes, unless you fall under the unclassified category. See here http://msdn.microsoft.com/en-us/library/windows/hardware/gg463036.aspx

    3.

    What is the Windows Logo?

    Just a logo. Shows that your hardware is Windows certified. It's like getting USB certified so that you can put a USB compliant sticker on your hardware.

    4.

    can I make a third party trusted certificate with a makecert.exe?

    No. Go buy one from a vendor. We use Digicert because they have fair prices and I like the security of the hard token.

    Update for Windows 10: Kernel mode drivers now have more stringent signing requirements. The above information is specific to user-mode applications and drivers. For a great Q/A session see this blog link from OSR: https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/