Are kernal mode signing capabilities required to sign a cat file when the inf file references a windows *.sys file?

Chris Lange 1 Reputation point
2021-10-12T20:23:21.087+00:00

As I understand, as of 2021, drivers that run in kernal mode will need to be signed by microsoft by submitting test results to the hardware program. What if I just want to sign a "driver package" ie. inf/cat file that references an already signed kernal mode windows driver such as usbser.sys? Microsoft documentation doesnt seem to cover this case.

I am hoping to sign cat file with a standard code signing certificate purchased from a CA after the Microsoft Root Trust Program no longer supports signing certificates with kernal mode signing capabilities.

Thank you

Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,524 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Doron Holan 1,801 Reputation points
    2021-10-14T17:45:09.027+00:00

    The signing policy is the same for all driver packages, regardless of what they install (a third party km or um driver or an in box driver).

    1 person found this answer helpful.

  2. Doron Holan 1,801 Reputation points
    2021-10-15T00:07:03.497+00:00

    A driver package is an INF and all the other files referenced by it. The signing policy applies to the import and apply of a driver package (as dictated by the INF), regardless of what the INF does. An INF that installs an inbox driver on a device is a driver package.


  3. Doron Holan 1,801 Reputation points
    2021-10-15T18:55:40.087+00:00

    AFAIK you need a kernel mode signing cert, but the proof is in testing on the OS in question