This section provides information related to USB driver signatures, the types of signatures needed for the different versions of Windows operating system, and how to get a signed driver package.
Name |
Description |
What are “Signed” Drivers? Most USB drivers operate in what is known as “kernel mode” on Windows based PCs. Kernel mode drivers have low level access to the PC and its resources. This low level access to the PC is normally necessary to implement the kind of functionality that the driver is intended to provide to top level applications. However, low level access to a PC has potential security implications. Kernel mode is typically the “ideal” place where malicious software developers would want their software to operate, since it provides the greatest control and access to the PC. Therefore, in... more | |
Minimum Driver Signature Requirements Full driver package WHQL signatures are the best and most trusted by all versions of Windows. Windows allows the installation of properly WHQL signed drivers, without producing a prompt warning the user about the driver’s trustworthiness. However, current Windows versions do not require WHQL signatures to allow installation. Lesser signatures (or no signatures in some cases) are allowed, but will generate user dialogs/warnings during the installation process. | |
Using Older Drivers with Windows 8 In general, USB driver packages that are designed for Windows 7 and prior OS versions will also work in Windows 8, but there is one important exception to this. Starting with Windows 8 64-bit, all drivers must contain a proper “full driver package” digital signature (prior OSes only required an embedded signature in the .sys file, rather than the entire driver package including the .inf file). The driver package signature exists as a .cat file that comes with the driver package, and needs to be correctly referenced from within the .inf file. If either... more | |
Driver Signatures in the Microchip Libraries for Applications (MLA) Projects Projects based on WinUSB: WinUSB is a Microsoft created/supplied driver. All Microsoft supplied drivers contain an embedded signature from Microsoft. Additionally, WinUSB driver packages supplied in the February 2013 MLA release (or later) also contain a full driver package Microsoft WHQL signature. In operating systems prior to Windows 8, WinUSB based devices require the user to install a driver package for the hardware. However, starting with Windows 8, it is possible to make WinUSB based devices that are fully plug and play, and do not require any user supplied driver... more | |
Obtaining a Microsoft Authenticode Code Signing Certificate There are several Certificate Authority (CA) companies that can sell your organization a signing certificate that will allow you to sign your own driver packages. However, when submitting a driver package to Microsoft for WHQL certification, either as a new device/driver, or by reusing a previous submission through the “Driver Update Acceptable” (DUA) process, Microsoft currently requires that the submitted files be signed with an authenticode signing certificate issued by VeriSign. Therefore, it is generally preferred to obtain the Microsoft Authenticode code signing certificate from VeriSign (now a part of Symantec Corporation). Before... more | |
Code Signing Certificates – Other Uses In addition to signing driver packages, a Microsoft Authenticode signing certificate can be used to sign certain other types of files, such as executable (.exe) programs. Windows, especially Windows 8, does not trust unsigned executables as much as signed executables. In Windows 8, an unsigned executable that has “no history” and has no reputation established with Microsoft will be treated as relatively untrustworthy, and is blocked from execution, unless the user manually overrides the OS behavior, through an advanced options dialogue that is typically hard for new users to find. Additionally, some virus scanning... more | |
Using a Code Signing Certificate to Sign Driver Packages If you make modifications to a driver package and need to re-sign the package, the easiest method is to sign it with a Microsoft Authenticode code singing certificate. This can be done with the following procedure: 1. Start from a known working driver package .inf file from the latest MLA release. 2. Modify the .inf as desired. The .inf file is a plain text (ex: editable with Notepad) installation instruction/information file that tells the OS what driver needs to be used for the hardware, and anything else that may need to... more |
MLA - USB Library Help Version : 2.16
![]() |