Signing WBDI Drivers

The code-signing requirements for WBDI drivers are the same as for other drivers. The specific requirements depend on whether the WBDI driver is implemented by using the user-mode driver framework (UMDF), the kernel-mode driver framework (KMDF), or the Windows Driver Model (WDM).

If a fingerprint device supports Plug and Play, the WBDI driver package must be signed to ensure that it hasn not been tampered with. Such a signature is required whether the driver runs in kernel mode or in user mode. You are not required to sign every individual file in the package. Instead, you create a catalog file that contains a hash value for every file in the package, and you sign the catalog file. The CatalogFile directive in the INF indicates the name of this file. For most WBDI drivers, the catalog file signature is the only type of signature that you need.

For some WBDI drivers, multiple signaturesare needed. A kernel-mode boot-start driver, which is a driver that is loaded by the Windows loader during the boot process, requires an additional embedded signature on both x86 and x64 platforms. Therefore, a boot-start driver must usually be signed in two ways:

  • A boot-start driver package that is installed by using an INF must have a signed catalog file, just like other types of drivers. The catalog file is used for signature verification during installation.
  • A boot-start driver's binary file must be embedded-signed by using an SPC with a corresponding cross-certificate. A cross-certificate is issued by a CA (called a trusted root) that signs the public key for the root certificate of another CA, which creates a chain of trust from a single, trusted root CA to multiple other CAs.

You typically embedded-sign a driver binary after you create and sign the package's catalog file.

Boot-start drivers have the following characteristics:

  • The driver's INF specifies the start type as "Start=0".
  • A kernel service is configured with a ServiceType of kernel driver or file system driver and has StartMode set to "boot".

If the driver is packaged in a self-extracting executable file, the self-extracting executable file should also be signed.

This topic does not cover the details of driver-signing requirements or procedures. For general information about signature requirements for drivers, see Driver Signing.

Send comments about this topic to Microsoft