Introduction to Release-Signing

Driver packages should be release-signed for the following reasons:

  • To ensure the authenticity, integrity, and reliability of driver packages.

    Windows uses digital signatures to verify the identity of the publisher and to verify that the driver package has not been altered since it was published.

  • To provide the best user experience by facilitating automatic driver installation.

    If a driver package is not signed, the Plug and Play (PnP) driver installation policy requires that a system administrator manually authorize the installation of an unsigned driver package, adding an extra step to the installation process. This extra step can be potentially confusing and bothersome to the average user.

  • To run kernel-mode driver binaries on 64-bit versions of Windows Vista and later versions of Windows.

    The kernel-mode code signing policy for 64-bit versions of Windows Vista and later requires that kernel-mode driver binaries be signed in order for the operating system to load the driver.

  • To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy. For information about PMP signing policy, see the white paper Code-signing for Protected Media Components in Windows Vista.

The Hardware Certification Kit (HCK) has test categories for a variety of device types. If a test category for the device type is included in this list, the driver package publisher should obtain a WHQL release signature for the driver package.

Note  On Windows Server 2003, Windows XP, and Windows 2000, the INF file from the WHQL-signed driver package must use a device setup class that is defined in %SystemRoot%/inf/Certclas.inf. Otherwise, Windows treats the driver package as unsigned.

If a driver package is digitally-signed by WHQL, it can be distributed through the Windows Update program or other Microsoft-supported distribution mechanisms. WHQL signs the driver package catalog file, but does not embed signatures in driver files. If a driver binary is a boot-start driver for 64-bit processors, the driver package publisher must also embed a signature in the kernel-mode driver files before submitting the driver package to WHQL.

If the Hardware Certification Kit (HCK) does not have a test category for your device type, in order to release-sign your driver packages on Windows Vista and later versions of Windows, you must meet the following requirements:

An SPC and a commercial release certificate are collectively referred to as release certificates and a signature generated with a release certificate is referred to as a release signature.

For more information about the release-signing requirements and procedures, see Release-Signing Driver Packages.

Note  To understand the steps that are involved in release-signing driver packages, see How to Release-Sign a Driver Package. This topic provides a summary of the release-signing process, and steps through many examples of release-signing by using the ToastPkg sample driver package within the Windows Driver Kit (WDK).