How to validate the Microsoft signature
This article shows you how to validate the Microsoft signature for a submission.
There are a couple cases where you might want to validate the Microsoft signature for a submission:
- You aren't sure if a driver is Microsoft signed or not, and you want to check.
- You have two drivers. You need to determine which one is attestation signed and which one is signed after submission of HLK/HCK results to the dashboard.
Step 1: Download signed driver files
Download the signed files you need to validate the Microsoft signature.
Note
The driver submission folder is located in the package files. These files are signed by Microsoft. The partner doesn't have to sign the returned payload. Microsoft always returns a .cat file with an approved submission. If a partner includes its own .cat file. Microsoft discards it and returns its own signed .cat file.
In the past, Microsoft only signed the .cat file. Starting with Windows 10, Microsoft now signs all of the portable executables in the returned payload. For example, the .dll file is also signed by Microsoft:
To download the driver signed files:
- Find the hardware submission that contains the drivers that you want to download signed files for.
- Select the Private Product ID to open the driver details.
- On the driver details page, under Packages and signing properties, select More.
- Select Download signed files.
Step 2: Check the Enhanced Key Usage (EKU)
Once you download the signed files, validate the Microsoft signature by checking the EKU. The EKU belongs to the certificate that Microsoft uses to sign the submission.
To check the EKU:
Right-click the .cat file.
Select Properties, and then select the Digital Signatures tab.
Select the name of the certificate, and then select Details.
On the Details tab, select Enhanced Key Usage. There, see the EKUs and corresponding object identifier (OID) values for the certificate. In this case, the Windows Hardware Driver Verification OID ends with a 5, which means that driver isn't attestation signed:
If the driver is attestation signed, the OID ends with a 1: