Previous Next

Vendor-Supplied Authenticode Signatures

If WHQL has a test program for the driver's device setup class, you should obtain a WHQL digital signature for your driver package. However, if WHQL does not have a test program for your device setup class, you can sign your driver package using Microsoft® Authenticode technology. For more information, see the Signing Code with Microsoft Authenticode Technology Web site. Authenticode signatures are supported by Microsoft Windows® Server 2003 and later versions.

An Authenticode signature ensures that a driver package came from its publisher, and it protects the package from alteration after publication. It consists of a catalog file that a vendor signs using Authenticode.

To sign a driver package with an Authenticode signature

  1. Obtain a digital certificate from a Certificate Authority.
  2. Obtain the Microsoft code signing tools that are available at the Authenticode For Internet Explorer Web site. These tools include MakeCat, SignCode, and ChkTrust, and they are documented in the Platform SDK.
  3. Include the signed catalog file with the driver package and specify the signed catalog file using an appropriate CatalogFile.xxx entry in the Version Section of the INF file for the driver package.
  4. Copy the driver package files to a single directory.
  5. Create a catalog definition file (.cdf) using a text editor. A .cdf file contains a list of the files to be cataloged and their attributes. For more information about the contents of a catalog definition file, see the Platform SDK documentation on the MakeCat tool.
  6. Create an unsigned catalog file (.cat) for the driver package by using the MakeCat tool. The MakeCat tool creates the .cat file based on the information in a .cdf file. The catalog file contains hashes and attributes of the driver package files. Using a catalog file allows the user to sign only one file (the catalog file) instead of signing numerous individual files. For example, the following command creates a catalog file based on the information in filename.cdf. (The filename.cdf file must be in the same directory as the files to be signed.) 
    MakeCat -v -r <path to files to be signed>\<filename.cdf>
  7. Sign the catalog file by using the SignCode tool. A typical example of the command used to sign a catalog file is as follows: 
    SignCode -n "Friendly name for driver package" -v <path to your private key> -spc <path to the digital certificate obtained from a Certificate Authority> <catalog file name>
  8. Verify the catalog by using the ChkTrust tool. A typical example of the command used to verify a signed catalog file is as follows: 
    ChkTrust -q <path to the signed catalog file>

For more information about using Authenticode signatures, see the following topics:

Using Vendor-Supplied Authenticode Signatures To Authenticate Drivers

Using SetupAPI To Verify Driver Authenticode Signatures

Built on Friday, April 11, 2003