Sign the Catalog File

Applies To: Windows Server 2008

You can use this procedure to sign the catalog file associated with a device driver package. Signing the catalog file involves encrypting the contents using a public/private key pair. The public key is part of the certificate used to create and validate the certificate. Only the public key that is part of the certificate can decrypt the signature that was created with the private key. Successfully decrypting the signature by using a trusted certificate that can be traced back to a certification authority ensures that the signature is genuine, and that the package is from whom it claims to be.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To sign the catalog file

  1. Open a WDK Build Environment command prompt by using the Run as administrator option. Review the details in "Additional considerations" in this topic.

  2. At the command prompt, type the following on one line, and then press ENTER:

    signtool sign /s certificatestore**/n** certficatename /t

Value Description

/s certificatestore

Specifies the store name on the local computer where a copy of the signing certificate can be found. Review the details in "Additional considerations" in this topic.

/n certificatename

Specifies the subject name of the signing certificate to be used.


Specifies the service used to timestamp your signature. If you purchase an Authenticode certificate from another vendor, then you should use the service that vendor provides. Review the details in "Additional considerations" in this topic.

Specifies the catalog file to be signed.

Formatting legend

Format Meaning


Information that the user must supply


Elements that the user must type exactly as shown

Additional considerations

  • To start a WDK Build Environment command prompt with the Run as administrator option, click Start, All Programs, Windows Driver Kits, WDK <your build number>, Build Environments, and Windows Vista and Windows Server. Right-click Windows Vista and Windows Server Longhorn x86 Free Build Environment, and then click Run as administrator.

  • The SignTool tool must be run at a command line started by using the Run as administrator option. The tool does not generate User Account Control prompts, and will fail if run from a non-elevated command line.

  • SignTool can accept the certificate as a file on disk, as well as in the certificate store on the local computer. For more information about SignTool and the options it supports, see "Using SignTool" at

Additional references