How to Test-Sign a Driver Package

This section provides information about the basic steps that you have to follow when you test-sign a driver package.

Test-signing refers to using a test certificate to sign a prerelease version of a driver package for use on test computers. In particular, this allows developers to sign kernel-mode binaries by using self-signed certificates, such as those the MakeCert tool generates. This capability allows developers to test kernel-mode binaries on Windows with driver signature verification enabled.

Windows supports test-signed drivers only for development and testing purposes. Test-signed drivers must not be used for production purposes or released to customers.

This section includes topics that describe these steps and provide examples, such as the following:

  • Creating a test certificate that is used to sign a driver package. In this section, steps are described to create and use a self-signed test certificate named This certificate is used in many examples that are discussed in this section.

  • Preparing a driver package for test-signing. This includes creating a catalog file that contains the digital signature.

  • Test-signing the driver package's catalog file by using the certificate.

  • Test-signing a driver through an embedded signature by using the certificate.

    Note  You have to embed a digital signature within the driver if the driver is a boot-start driver.

Each topic in this section describes a separate procedure in the test-signing process, and provides the general information that you need to understand the procedure. In addition, each topic points you to other topics that provide detailed information about the procedure.

Throughout this section, separate computers are used for the various processes involved in test-signing a driver. These computers are referred to as follows:

Signing computer
This is the computer that is used to test-sign a driver package for Windows Vista and later versions of Windows. This computer must be running Windows XP SP2 or later versions of Windows. In order to use the driver signing tools, this computer must have the Windows Vista and later versions of the Windows Driver Kit (WDK) installed.

Test computer
This is the computer that is used to install and test the test-signed driver package. This computer must be running Windows Vista or later versions of Windows.

The topics of this section use the ToastPkg sample driver package to introduce the test-signing process. Within the WDK installation directory, the ToastPkg driver package is located in the src\general\toaster\toastpkg directory.

Note  The WDK contains a sample command script that shows the step-by-step procedure to correctly test-sign the ToastPkg sample driver package. You can modify this script to test-sign your own driver package. Within the WDK installation directory, the example is located at src\general\build\driversigning\selfsign_example.cmd. Additional instructions for test-signing are described in src\general\build\driversigning\selfsign_readme.htm.

This section includes the following topics:

Creating Test Certificates

Viewing Test Certificates

Creating a Catalog File for Test-Signing a Driver Package

Test-Signing a Driver Package's Catalog File

Test-Signing a Driver through an Embedded Signature

Configuring the Test Computer to Support Test-Signing

Installing Test Certificates

Verifying the Test Signature

Installing a Test-Signed Driver Package on the Test Computer