Drivers should be digitally signed. This is especially true of kernel-mode drivers, which are trusted components of the operating system and have essentially unrestricted access to system resources. A digital signature provides users with two important pieces of information:
Verification of the origin of the driver package.
Assurance that the package has not been tampered with.
Drivers should be signed for several practical reasons:
Windows Vista and later versions will not load unsigned kernel-mode drivers on 64-bit computer systems.
Signed drivers provide a better user experience.
On recent versions of Windows, unsigned kernel-mode drivers can be installed only by an administrator, and even administrators receive a dialog box that requires them to explicitly approve the installation.
Signed kernel-mode drivers are required for Windows Vista to play certain types of premium content.
This section provides a brief summary of driver signing.
Drivers are usually not signed directly. Instead, the driver package includes a signed catalog file that acts as the digital signature for the entire driver package. The signing process ties the catalog file to a specific driver package. If anyone subsequently modifies any component of the package by even a single byte, the signature is invalidated. If you modify a driver package, it must have a new signed catalog file.
Info See "Driver Signing Requirements for Windows" on the WHDC Web site for up-to-date information about driver signing requirements and techniques-online at http://go.microsoft.com/fwlink/?LinkId=79358.
You can obtain a signed catalog file for a driver package in two ways:
By obtaining a Windows logo Drivers that pass Windows Logo Program testing and receive a Windows logo also receive a catalog file for the driver package, signed by Microsoft.
Info See the Windows Logo Web site for information about the testing process for the logo program-online at http://go.microsoft.com/fwlink/?LinkId=79359.
By creating your own signed catalog file You can obtain a digital certificate from a trusted certification authority (CA). The WDK provides tools to create a catalog file and sign it with the certificate.
Tip See "Creating a Catalog File for a PnP Driver Package" in the WDK-online at http://go.microsoft.com/fwlink/?LinkId=79360.
Test packages intended for 32-bit versions of Windows can omit the signed catalog file. However, test packages are often signed to simplify the installation process or to test the installation procedures for signed drivers. Test packages can be signed by using a test certificate created with tools provided in the WDK.
Info See "Code-Signing Best Practices" on the WHDC Web site for more information about creating and installing test certificates-online at http://go.microsoft.com/fwlink/?LinkId=79361.
You specify your package's signed catalog file by including a CatalogFile entry in the INF's [Version] section. Because neither of the USB samples uses a catalog file, the example in Listing 20-6 is from the Featured Toaster sample's INF. It specifies KmdfSamples.cat as the package's catalog file.
Listing 20-6: Featured Toaster INF CatalogFile entry
[Version] Signature="$WINDOWS NT$" Class=TOASTER ClassGuid={} Provider=%MSFT% DriverVer=02/22/2006,1.0.0.0 CatalogFile=KmdfSamples.cat
Boot-start drivers are installed during the boot process. For 64-bit versions of Windows Vista, boot-start drivers must have embedded-signed binaries in addition to a signed catalog file.
With embedded signing, a signature is embedded in the driver's binary file. This action is required for boot-start drivers because locating the catalog file to verify the driver's signature is relatively time consuming. Embedding signatures in the driver binaries improves boot performance. Boot-start drivers must also have a signed catalog file, which is used for other purposes.