What do I have to do and how much does it cost to get a device driver for Windows Vista / 7 (32 and 64 bit) signed?

Asked 29/4, 2010 at 18:42 Answered 29/8, 2023 at 21:40

windows-7 windows-vista 64-bit driver-signing

I've got some drivers which are basically LibUSB-Win32 with a new .inf file to describe product/vendor IDs and strings which describe my hardware. This works fine for 32 bit windows, but 64 bit versions have problems; namely that Microsoft in their wisdom require all drivers to be digitally signed.

So my questions are thus:

Is there a version of the LibUSB-Win32 drivers which are already signed I could use?
If there aren't already some signed ones I can canibalise, what exactly do I have to do to get my drivers signed.
Do I need to get 64 and 32 bit versions signed separately and will this cost more?
Is this a free alternative to getting them signed?
Are there any other options I should consider besides requiring that my customers boot into test mode each time they start their machines (not an option I'd consider).
Are there any other options for code signing apart from Verisign? Obviously a free/open source initiative like OpenID would be awesome ;-)

Linkman answered 29/4, 2010 at 18:42 Comment(0)

There are two separate issues at hand:

Signing the image file (i.e. the driver.sys file) to satisfy Kernel Mode Code Signing (KMCS)
Signing the driver package to satisfy driver installation (i.e. the driver.cat file).

If you take an existing driver signed by another entity (be it Microsoft's WinUSB or libusb-win32), that'll satisfy KMCS.

As to driver installation, you'd need your own Code Signing Certificate to sign a .cat file, which verifies that your .inf and the files it refers to (e.g. your .sys files) were not modified and truly come from you. It's somewhat less of a problem, since unlike KMCS (which stops your driver from loading), it won't prevent your driver from being installed but just present a warning to the user.

A Code Signing Certificate (make sure it supports KMCS!) will cost you hundreds of USD, depends on the CA you choose. Some might have plans which allow you to pay per signing event rather then globally per year. If you don't need to release many versions, this might be cheaper for you.

Forethoughtful answered 12/2, 2012 at 12:29 Comment(5)

Starting in Windows 8, I think the INF files are required to be signed as well. Prior to Windows 8, you were correct; it was possible to release unsigned drivers that use WinUSB or usbser.sys with just a warning that the publisher could not be verified. – Bullock 5/9, 2012 at 22:47

@DavidGrayson, the INF file has to be signed on Windows 7 too, just not necessarily with an Authenticode certificate from a well-known CA. Did this policy change? Can you point me at any MSDN document or blog? – Forethoughtful 16/10, 2012 at 3:57

Sorry, I don't have a MSDN document to point you to, but I have the experience of successfully delivering totally-unsigned drivers to thousands of customers who were using XP/Vista/7. The existence of this dialog in Windows Vista/7 should also be pretty convincing to you: a.pololu-files.com/picture/… – Bullock 16/10, 2012 at 4:43

Right, right. What kind of signature Windows 8 expects on the catalog file then? – Forethoughtful 16/10, 2012 at 5:10

See kmsigning.doc. It has to be chained to a cert in the Trusted Root Certification Authorities. – Bullock 16/10, 2012 at 6:33

You might be able to get away with trying the libusb-winusb version of libusb which tries to implement most of the existing functionality around the winusb driver (which is a signed MS binary so you don't need to do it yourself). However YMMV as winusb doesn't 100% map to all the functionality required in libusb.

Bantu answered 29/4, 2010 at 20:38 Comment(0)

You can use this tutorial that ignores unsigned drivers. I don't think that you want to pay because it costs something like $400 USD!

Here is an other tutorial

You can also run CMD as administrator and run the following:

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON

Longhorn answered 29/4, 2010 at 18:46 Comment(3)

I'd definitely shy away from requiring customers to boot into test mode or disable signing. First, it'll put the "Test Mode" tag on their desktop which could be confusing. Second, you're putting them in a position where unsigned and potentially untrusted kernel code could be loaded on their system. – Fougere 29/4, 2010 at 19:7

Worth pointing out the bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS doesn't work post Vista RTM. – Bantu 29/4, 2010 at 20:38

it seems that bcdedit.exe -set TESTSIGNING ON doens't work on win7 x64 also. – Sarcastic 12/7, 2012 at 6:26

According to my research, it could cost as little as US$266 to have a device driver signed. My understanding is that only a company can get a driver signed. They won't do it for individuals.

Ref.: CERTUM Code Signing Certificates

Distrait answered 15/5, 2012 at 16:5 Comment(0)

I found a few ways to load a driver for free:

manual map the driver https://github.com/TheCruZ/kdmapper
disable driver signature enforcement- info

I personally use KD mapper

Reproof answered 29/8, 2023 at 21:40 Comment(0)

Recommended topics

Hot tags