Microsoft Learn

Documentatiion for Developers

Driver Signing Options

Windows requires that drivers be digitally signed to ensure their authenticity and integrity. This process helps protect your system from malicious or corrupted software. This document outlines the various options available for signing your drivers, from development to production.

Why Sign Drivers?

  • Security: Prevents the installation of malware disguised as drivers.
  • Trust: Assures users that the driver comes from a legitimate source.
  • System Stability: Reduces the risk of system crashes due to faulty or incompatible drivers.
  • Feature Access: Certain Windows features, like Secure Boot, require signed drivers.

Driver Signing Levels

There are different levels of driver signing, each with its own implications:

1. Test Signing

Test signing is ideal for development and testing purposes. It allows you to sign drivers with a certificate that is not globally trusted. This is useful when you don't have a retail certificate but need to test driver functionality on a test system.

Note: Test-signed drivers will not install on production systems unless test signing is explicitly enabled on that system. This is not recommended for distribution.

To enable test signing, you can use the bcdedit command: 

bcdedit /set testsigning on

To disable test signing: 

bcdedit /set testsigning off

2. WHQL (Windows Hardware Quality Labs) Signing

WHQL signing is the recommended approach for distributing drivers to end-users. Drivers submitted to WHQL undergo rigorous testing to ensure they meet Microsoft's compatibility and quality standards. Upon passing, Microsoft issues a signed catalog file (.cat) and a certificate that is trusted by all Windows versions.

  • Obtain a hardware developer program membership.
  • Submit your driver package to the Windows Hardware Dev Center dashboard.
  • Run the Windows Hardware Compatibility (WHC) tests.
  • Sign your driver package using the provided WHQL-signed certificate.

3. Cross-Certification

Cross-certification involves using a trusted root certificate to sign your driver. This is often used by hardware manufacturers who have their own PKI (Public Key Infrastructure) but need their drivers to be trusted on Windows systems. You can obtain a cross-certificate from Microsoft or a trusted third-party Certificate Authority (CA).

Driver Signing Tools

Microsoft provides several tools to assist with the driver signing process:

  • SignTool.exe: A command-line utility for signing drivers and other files.
  • Certmgr.msc: Windows Certificate Manager for managing certificates.
  • DevCenter Dashboard: The web portal for submitting drivers to WHQL.

Best Practices

  • Always use WHQL signing for production drivers.
  • Keep your signing certificates secure.
  • Understand the differences between test signing and release signing.
  • Regularly review your driver signing policies and procedures.
Warning: Installing drivers from untrusted sources can compromise your system's security and stability. Always ensure drivers are properly signed.

For more detailed information on specific signing scenarios and tools, please refer to the official Microsoft documentation.