question

ChrisLange-9620 avatar image
0 Votes"
ChrisLange-9620 asked ChrisLange-9620 edited

Are kernal mode signing capabilities required to sign a cat file when the inf file references a windows *.sys file?

As I understand, as of 2021, drivers that run in kernal mode will need to be signed by microsoft by submitting test results to the hardware program. What if I just want to sign a "driver package" ie. inf/cat file that references an already signed kernal mode windows driver such as usbser.sys? Microsoft documentation doesnt seem to cover this case.

I am hoping to sign cat file with a standard code signing certificate purchased from a CA after the Microsoft Root Trust Program no longer supports signing certificates with kernal mode signing capabilities.

Thank you

windows-hardware-certificationwindows-hardware-wdkwindows-hardware-code-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DoronHolan avatar image
1 Vote"
DoronHolan answered ChrisLange-9620 commented

The signing policy is the same for all driver packages, regardless of what they install (a third party km or um driver or an in box driver).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your response! I am still a little unclear. What is the driver policy for "Driver packages"? The underlying driver, usbser.sys, is already signed by windows. Can I sign a "Driver package" using a CA standard code signing certificate? Or is a "Driver package" considered to be a "driver" with respect to the Windows Driver signing policy?

Thanks again,

-Chris

0 Votes 0 ·
DoronHolan avatar image
0 Votes"
DoronHolan answered ChrisLange-9620 commented

A driver package is an INF and all the other files referenced by it. The signing policy applies to the import and apply of a driver package (as dictated by the INF), regardless of what the INF does. An INF that installs an inbox driver on a device is a driver package.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. I am still unclear, can I sign a driver package with a standard code signing certificate for use in Windows 10?

0 Votes 0 ·
DoronHolan avatar image
0 Votes"
DoronHolan answered ChrisLange-9620 edited

AFAIK you need a kernel mode signing cert, but the proof is in testing on the OS in question

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe 'kernal mode signing certificates' have expired, and there is a warning in the docs
140927-image.png

saying my certificate could be revoked if I try.

I am leaving this open in case anyone else can answer whether a standard code signing certificate can be used to sign a driver package (cat file).

0 Votes 0 ·
image.png (35.7 KiB)