none
What is the right Driver signing procedure? HCK/HLK Test must be done? RRS feed

  • Question

  • Hi all,

    I  want to sign an inf file for windows 7, 8 and 10. What is the right high level procedure?

    My understanding is :

    1. Sign inf file using an EV code signing certificate.
    2. Run HCK/HLK Tests
    3. Submit test results to the new Dev center dashboard.

    I have following questions:

    1. Does the above procedure correct? Please correct me if I am wrong.
    2. Does HCK and HLK test must be done?
    3. Does attestation sign work for me in this case? Does attestation sign work on win7,8?

    Thank you very much, I really appreciate it.

    -------------------------------------

    UPDATE:

    I finally know what's going on here:

    when we talk about driver signing, there are only two types of drivers: 

    1. Kernel Mode Driver
    2. None-kernel mode Driver (inclusing inf file only driver, user mode driver, etc.)

    For all Kernel mode Drivers - you MUST have/buy EV Certificate. You MUST run HCK/HLK Tests and you must submit tests results package to Microsoft development dashboard.

    For all other drivers - You MUST have/buy Microsoft Authenticode Certificate. You must download WDK or SDK package(tools) to sign the inf file using this certificate. After signing and verifying, it is done! No EV Cert, No HCK/HLK Tests, No Submission

    I am willing to help anyone on this problem, because I don't want anyone else get confused like what I have been through:) Please let me know if you have more questions.

    Jennifer.

    Friday, June 30, 2017 9:07 PM

Answers

  • I have a driver package that includes a .sys file, and I have a driver package that is "INF-only". I have successfully got both packages WHQL-certified for basically the list of Windows that you ask about (we target 7/8/8.1 and 10) by doing the following.

    [0. If you have a .SYS Sign the .SYS w/ a SHA2 digital signature using a non-EV SHA2 Certificate and a SHA2 time-stamp]

    1. INF2Cat

    2. Sign the .CAT w/ a SHA2 digital signature using a non-EV SHA2 Certificate and a SHA2 time-stamp. (all EV Certificates are SHA2, not all SHA2 Certificates are EV)

    3. Run HCK tests against your driver on Windows 7/8/8.1 clients, create an unsigned .hckx submission package

    4. Run HLK tests against your driver on Windows 10 clients, create an unsigned .hlkx submission package.

    5. open the HLK Studio (Note: Open HLK Studio, don't double-click on the/an .hlkx file to open HLK Studio), navigate to the Package tab, open the .hlkx package

    6. select "merge in package", open the .hckx package

    7. select "Create Package", signed, sign with EV Certificate

    8. submit to developer dashboard

    • Marked as answer by JenniferZou Wednesday, July 12, 2017 8:11 PM
    Tuesday, July 11, 2017 4:54 PM

All replies

  • Hi,

      1. You do not need a EV code sign, Just a regular code sign from (e.g. VeriSign / digicert etc),

    EV code sign is for Win10  only.

    2 . yes HCK for Win7/8.1 and HLK for WIn10

    3. Attes sign is for Win10 only and you''ll need to sign it with EV cert before submitting to MS for Attes sign.

    /m

    Monday, July 3, 2017 2:55 AM
  • Hello Ming2,

    But I need to support Win7,8 and 10. So I do need an EV code signing Cert, right?

    and...Should I sign the inf file before the HCK/HLK tests or during the HCK/HLK tests?

    Thanks,

    Jennifer.

    Monday, July 10, 2017 5:32 PM
  • I have a driver package that includes a .sys file, and I have a driver package that is "INF-only". I have successfully got both packages WHQL-certified for basically the list of Windows that you ask about (we target 7/8/8.1 and 10) by doing the following.

    [0. If you have a .SYS Sign the .SYS w/ a SHA2 digital signature using a non-EV SHA2 Certificate and a SHA2 time-stamp]

    1. INF2Cat

    2. Sign the .CAT w/ a SHA2 digital signature using a non-EV SHA2 Certificate and a SHA2 time-stamp. (all EV Certificates are SHA2, not all SHA2 Certificates are EV)

    3. Run HCK tests against your driver on Windows 7/8/8.1 clients, create an unsigned .hckx submission package

    4. Run HLK tests against your driver on Windows 10 clients, create an unsigned .hlkx submission package.

    5. open the HLK Studio (Note: Open HLK Studio, don't double-click on the/an .hlkx file to open HLK Studio), navigate to the Package tab, open the .hlkx package

    6. select "merge in package", open the .hckx package

    7. select "Create Package", signed, sign with EV Certificate

    8. submit to developer dashboard

    • Marked as answer by JenniferZou Wednesday, July 12, 2017 8:11 PM
    Tuesday, July 11, 2017 4:54 PM
  • Hi Mark,

    Thank you very much for your reply, very helpful!!

    I am wondering that in step 2, Is "non-EV SHA2 Certificate" free certificate or should I buy it from some where? I would really appreciate it if you can tell me a little bit more about "non-EV SHA2 Certificate".

    and why do you sign the cat file in step 2 using an non-ev cert, but sign the package in step 7 with the ev certificate?

    Thanks,

    Jennifer.

    Wednesday, July 12, 2017 8:10 PM
  • I used the phrase "non-EV SHA2 Certificate" simply to mean a SHA2 (actually SHA256) Certificate that is not also an EV Certificate.  No, it's not free, you buy it from the same place you bought your EV Certificate.

    If you already have your EV Certificate, then you do not *need* another non-EV SHA2 Certificate.  However, we found that in practice we strongly-want, borderline-need a non-EV SHA2 Certificate for practical considerations:

    I believe one needs to use the EV Certificate on the computer where you purchased the EV Certificate (I may be wrong about that), but you certainly need to use it on the same computer where the associated dongle is installed.  Hence, in steps 0. and 2. we use non-EV SHA2 Certificates to sign on our automated build computers which may be VMs which get built up and torn down and certainly don't all have the EV dongle plugged into them (the build machines are a pool of Jenkins clients, more than one of them, and I only have one EV dongle and don't wish to tie the build job to one computer).  This is all an automated build setup.  We run it each day, or on check-ins, that type of frequency.

    We do not automate the step 7.  So we can choose where that is done.  And that is done on the computer where the EV dongle is installed.

    Wednesday, July 12, 2017 10:42 PM
  • Hello,

    We are trying to find out if we need to renew our DigiCert Code Signing certificate that we used to successfully get WHQL certification.  We've been told by Digicert that we do not need to renew if we "time-stamped" our driver.

    How do I determine if our drivers were time-stamped? I can't find any confirmation of that associated with our driver submissions/validations.

    And, is this true? Do we need to keep the certificate current (we only have these two drivers and don't think we'll be updating them anytime soon.)

    Thank you in advance for any insight.

    Thursday, February 15, 2018 10:39 PM
  • In Windows Explorer, browse to your driver package signed files (I.e. the .SYS, the .CAT), right-click the file, select Properties, select "Digital Signatures" tab.  See the "Timestamp" column in the Signature list?  If you time stamped it, the Timestamp would be displayed there.  If you didn't Timestamp it, either the column won't be there, or there would be no entry in the column (I can't remember which).

    Yes, you need to timestamp your Signatures.  Otherwise, the Signature expires when the Certificate used to Sign expires.

    Friday, February 16, 2018 3:19 PM
  • I am going round in circles and finally found this link. Although this thread is very old , is very information for my situation 

    I am using USB driver which runs in USER mode,  So assume , don't need to go through that HCK/HLK tests etc.

    So far using Digicert for signing these drivers successfully. Recently caught up with the driver failure i..e

    “Windows cannot verify the digital signature for the drivers required fro this device…. ”( code 52).

    trying to find solution to the issue.

    Looks like  I need "Microsoft Authenticode certificate".

    Can any body provide steps or links to buy Microsoft Authenticode Certificate ? or any latest updates please

    Friday, July 10, 2020 2:03 PM