What do I have to do and how much does it cost to get a device driver for Windows Vista / 7 (32 and 64 bit) signed?

windows-7 windows-vista 64-bit driver-signing
Jon Cage picture Jon Cage · Apr 29, 2010 · Viewed 8.2k times · Source

I've got some drivers which are basically LibUSB-Win32 with a new .inf file to describe product/vendor IDs and strings which describe my hardware. This works fine for 32 bit windows, but 64 bit versions have problems; namely that Microsoft in their wisdom require all drivers to be digitally signed.

So my questions are thus:

  1. Is there a version of the LibUSB-Win32 drivers which are already signed I could use?
  2. If there aren't already some signed ones I can canibalise, what exactly do I have to do to get my drivers signed.
  3. Do I need to get 64 and 32 bit versions signed separately and will this cost more?
  4. Is this a free alternative to getting them signed?
  5. Are there any other options I should consider besides requiring that my customers boot into test mode each time they start their machines (not an option I'd consider).
  6. Are there any other options for code signing apart from Verisign? Obviously a free/open source initiative like OpenID would be awesome ;-)

Answer

Ilya picture Ilya · Feb 12, 2012

There are two separate issues at hand:

  1. Signing the image file (i.e. the driver.sys file) to satisfy Kernel Mode Code Signing (KMCS)
  2. Signing the driver package to satisfy driver installation (i.e. the driver.cat file).

If you take an existing driver signed by another entity (be it Microsoft's WinUSB or libusb-win32), that'll satisfy KMCS.

As to driver installation, you'd need your own Code Signing Certificate to sign a .cat file, which verifies that your .inf and the files it refers to (e.g. your .sys files) were not modified and truly come from you. It's somewhat less of a problem, since unlike KMCS (which stops your driver from loading), it won't prevent your driver from being installed but just present a warning to the user.

A Code Signing Certificate (make sure it supports KMCS!) will cost you hundreds of USD, depends on the CA you choose. Some might have plans which allow you to pay per signing event rather then globally per year. If you don't need to release many versions, this might be cheaper for you.

Related questions

How do you run a command as an administrator from the Windows command line?

I have a small script that performs the build and install process on Windows for a Bazaar repository I'm managing. I'm trying to run the script with elevated, administrative privileges from within the Windows shell (cmd.exe)--just as if …

Read More
How to request administrator permissions when the program starts?

I need my software to be able to run as administrator on Windows Vista (if someone runs it without administrative permissions, it will crash). When launching other software, I've seen a prompt by the system like "this software will run …

Read More
How to list all symbolic links on an NTFS filesystem

since Windows Vista there is an new Win32-API call CreateSymbolicLink to create a symbolic link on the NTFS filesystem. Does anyone know if there is an way to list all existing symbolic links on the filesystem?

Read More