Contents
How Driver Signing Works
How to Get Digital Signatures for Windows Drivers
Driver Signing Summary
Microsoft is promoting driver signing for designated device classes as a mechanism to advance the quality of drivers, to provide a better user experience, and to reduce support costs for vendors and total cost of ownership for customers. Microsoft began digitally signing drivers for the Microsoft® Windows® 98 operating system that passed the Windows Hardware Quality Labs (WHQL) tests in 1998, and is signing drivers for Windows 2000 beginning with the RC3 release.
This article provides a general orientation to driver signing on Microsoft Windows operating systems. This article also describes how vendors can get their drivers digitally signed.
Driver signing (sometimes called "code signing") consists of the following components:
CAT Files. A catalog file has the filename extension .cat and a name chosen by the vendor. The vendor establishes the relationship between the driver package and its CAT file by including in the INF’s [Version] section a CatalogFile directive with a reference to the CAT file. The vendor distributes the CAT file along with the other files in the driver package. The operating system maintains this relationship by copying the driver’s INF file to the %System%\Inf directory and the CAT file to the %System%\CatRoot directory.
Digital Signature. When a driver package passes WHQL testing, WHQL generates a separate CAT file containing a hash of the driver binaries and other relevant information. WHQL then digitally signs the CAT file using Digital Signature cryptographic technology and sends it to the vendor. Driver signing does not change the driver binaries or the INF file submitted for testing.
The operating system performs signature detection whenever an INF file is used to install hardware from a device class that is subject to signature detection: that is, during any Plug and Play operation, when the user runs the Add New Hardware wizard in the Control Panel, and so on.
Driver Signing and Driver Installation. The system always installs the driver that is the closest match for the hardware, whether or not that driver is signed; however, given drivers of equal rank, the system installs the signed driver rather than the unsigned driver. Device classes subject to signature detection are:
| Display | Media | Net |
| Keyboard | Modem | Printer |
| HDC | Monitor | SCSI Adapter |
| HID | Mouse | Smart Card Reader |
| Image | Multiport Serial |
During driver installation, Windows compares the hashes contained in the driver’s CAT file with the computed hash of the driver binaries to determine whether the binaries have changed since the CAT file was created. If a driver fails the signature check or there is no CAT file, what happens next depends on the driver signing policy in effect on the user’s system:
All drivers that will be distributed to end users should be digitally signed, to preserve the integrity of the released operating system and ensure the best possible user experience.
Driver Signing and File Protection. Driver signing and system-file protection are two different mechanisms that both serve the goal of maintaining a stable and reliable operating system:
For information about Windows File Protection (system-file protection for Windows 2000), see the web site at
http://www.microsoft.com/hwdev/ntdrivers/sfp.htm
Vendors should submit the following kinds of driver packages to WHQL:
Changes to hardware or firmware require a new revision value in the device ID so the operating system can detect the updated device and install the correct driver for it. Such a driver package should be submitted to WHQL for retesting even if the driver binaries do not change, because the driver’s INF must reflect the device’s new device ID, which invalidates the CAT file. For example, if support for a new device is added to an existing driver package, that device’s device ID will need to be added to the INF file, the updated driver package submitted to WHQL, and a new CAT file generated.
A driver submitted to WHQL for testing will be digitally signed if the submission includes an INF that references a CAT file and meets Windows Logo Program requirements. Only signed drivers will be published on the Windows Update web site.
The exception to this is reference design drivers, which serve as a proof of concept to OEMs and IHVs who make products from the silicon and the driver. An OEM or IHV who modifies a reference driver that has passed WHQL testing can submit it with a high degree of confidence that the modified version will also pass. Reference drivers are not meant for sale or use on a released system, so they do not receive digital signatures. A driver-and-chipset combination should not be submitted as a reference design if they will be sold or distributed without modification.
The following sections describe how to get a digital signature for a Windows driver.
As of September 1, 1999, all driver INF files submitted to WHQL for testing must include a CatalogFile directive in the [Version] section of the INF that refers to the driver’s CAT file. For example:
CatalogFile = samplez.cat
The name of the CAT file is up to the vendor, but it must have the filename extension .cat. For convenience, Microsoft recommends maintaining a unique CAT file name for each driver package.
To test installation of an unsigned driver before submitting it to WHQL, create a dummy text file with the name referenced by the CatalogFile directive in the INF. This prevents the "file missing" errors that would otherwise occur. It is not necessary to include the dummy text file in the WHQL submission.
Each set of driver binaries must have a separate CAT file; two unrelated drivers cannot share the same CAT file. A single driver that serves multiple devices—that is, the INF references multiple Plug and Play device IDs—needs only one CAT file.
In general, there should be one CAT file for each INF in a driver package. Vendors of driver packages that consist of multiple drivers tested and installed as a set—such as a set of class drivers that serve different functions on a multifunction device—might find it convenient to have a single CAT file for the driver package and refer to that file from each class driver’s INF. The operating system will copy the CAT file during installation so that each INF has a corresponding CAT file on the system.
If the driver package installs the same set of binaries on both Windows 2000 and Windows 98, the INF file can contain a single, undecorated CatalogFile directive that refers to a single CAT file. (See the Windows 2000 DDK for a discussion of decorations in INF directives.)
However, if a driver package installs different binaries on Windows 2000 and Windows 98 systems, or if it installs different binaries on different Windows 2000 platforms, the driver’s INF file will contain one or more of the following directives:
For example, to specify a CAT file that is specific to Windows 2000, but is not used for Windows 98:
CatalogFile.NT=ntSampleZ.cat
For example, this might be used for an INF that doesn’t actually copy any files on Windows 2000. However, if an INF copies files on one operating system but not the other, or if it copies different files on Windows 98 and Windows 2000, it would require a different CAT file for each operating system. In this case, the INF file’s [Version] section would contain entries such as the following:
CatalogFile.NTx86=ahntx86.cat
CatalogFile=ahaw98.catOrder of entries does not matter. For information about creating INF files for Windows 2000, see http://www.microsoft.com/hwdev/ntdrivers/w2inf.htm
See also the following documentation in the Windows 2000 Driver Development Kit (DDK):
Vendors should follow the usual procedure for submitting a driver test package to WHQL for testing. A driver test package generally includes driver binaries and INF files, hardware needed for testing, passing test logs, agreements and fees. Currently, WHQL offers two options for testing:
Microsoft has web-based driver signing program, called Quick-Sign. For information about submitting a driver package to WHQL, see: http://www.microsoft.com/hwtest/
When the package has passed WHQL testing (or validation of passing test logs), WHQL sends the usual test report to the vendor. The catalog file containing the digital signature follows in a separate e-mail from WHQL.
Vendors must include the digitally signed catalog file with other installable files when distributing the driver.
If vendors grant distribution rights to Microsoft when submitting driver test packages to WHQL, the driver packages are automatically placed on the Windows Update web site as soon as they pass WHQL testing and meet additional Windows Update publishing criteria. Otherwise, vendors are responsible for distributing their drivers to users.
For information about Windows Update, see: http://www.microsoft.com/hwdev/ntdrivers/winup.htm
DISCLAIMER: The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
MSDN, Microsoft, Win32, Win64, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
© 1999 Microsoft Corporation