Creating a Digital Signature for Windows Drivers

Digitally signing your kernel-mode drivers is a critical step in ensuring their authenticity and integrity, and it's a requirement for drivers to run on modern Windows operating systems. This guide walks you through the process.

Understanding Digital Signatures

A digital signature is a cryptographic mechanism that verifies the identity of the publisher and ensures that the code has not been tampered with since it was signed. For Windows drivers, this typically involves using a certificate issued by a trusted Certificate Authority (CA).

Types of Signatures

Kernel-Mode Driver Signing: This is the most stringent type, required for drivers that run in the kernel's address space. It necessitates a specific type of certificate and a complex signing process.
User-Mode Driver Signing: While less restrictive, user-mode drivers also benefit from signing to ensure trust and prevent malware.

Steps to Create a Digital Signature

1. Obtain a Code Signing Certificate

You will need a code signing certificate. For kernel-mode drivers, this must be a certificate issued by a Microsoft-trusted CA that specifically supports kernel-mode code signing. Popular providers include DigiCert and Sectigo (formerly Comodo CA).

Note: Obtaining a kernel-mode code signing certificate involves a rigorous verification process to establish your identity as a legitimate developer or organization.

2. Prepare Your Driver Package

Ensure your driver is compiled and ready for signing. This typically includes:

The driver binary (.sys file).
An INF file that describes the driver and its installation.
Any other necessary files like .cat (catalog) files.

3. Use the SignTool.exe Utility

Microsoft provides a command-line utility called SignTool.exe, which is part of the Windows SDK. This tool is used to digitally sign files.

Signing a Kernel-Mode Driver:

The process for kernel-mode drivers is more involved and often requires using a timestamping server to ensure the signature remains valid even after the certificate expires.


signtool sign /v /km /s My Personal Store /n "Your Company Name" /t http://timestamp.digicert.com your_driver.sys

/v: Enables verbose output.
/km: Specifies that you are signing a kernel-mode driver.
/s My Personal Store: Specifies the certificate store (e.g., "My" for the Personal store).
/n "Your Company Name": Specifies the subject name of the certificate.
/t http://timestamp.digicert.com: Specifies the URL of a timestamping server.
your_driver.sys: The path to your driver binary.

Signing a User-Mode Driver or Catalog File:


signtool sign /v /n "Your Company Name" /t http://timestamp.digicert.com your_driver.cat

For user-mode drivers, you typically sign the catalog file (.cat) which then references the driver binary.

4. Create a Catalog File (.cat)

For kernel-mode drivers and often for user-mode drivers, you'll need to create a catalog file that lists the files included in your driver package and their hashes. The MakeCat.exe utility can be used for this.


makecat -v -s MyDriver.inf MyDriver.cat

After creating the catalog file, you sign the catalog file using SignTool.exe.

5. Test Your Signed Driver

After signing, thoroughly test your driver on a target system. Ensure it installs correctly and operates as expected. You can check the driver's signature properties in File Explorer.

Tip: Consider using a dedicated test signing certificate during development to avoid consuming your production certificate unnecessarily. However, remember that test-signed drivers will not load on systems with driver signature enforcement enabled without specific boot configuration changes.

Important Considerations

Certificate Expiration: Always use a timestamping server. Without it, your signature becomes invalid once the certificate expires.
Certificate Revocation: Ensure your certificate is not revoked.
Security: Protect your private key associated with the code signing certificate. If it's compromised, your digital identity can be misused.
Driver Signing Policy: Familiarize yourself with Microsoft's latest driver signing requirements, as policies can evolve.

Important: Failure to properly sign your kernel-mode drivers will result in them being blocked from loading on most modern Windows versions, leading to system instability or preventing hardware from functioning.

For more detailed information, refer to the official Microsoft documentation on driver signing.