Embedded Signatures in a Driver File

In 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing requirements state that a released kernel-mode boot-start driver must have an embedded Software Publisher Certificate (SPC) signature. An embedded signature is not required for drivers that are not boot-start drivers.

Note Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 kernel-mode drivers must be signed by the Windows Hardware Dev Center Dashboard and the Windows Hardware Dev Center Dashboard requires an EV certificate. For more info about these changes, see Driver Signing Changes in Windows 10.

Having an embedded signature saves significant time during system startup because there is no need for the system loader to locate the catalog file for the driver at system startup. A typical computer, which is running Windows Vista or a later version of Windows, might have many different catalog files in the catalog root store (%System%\CatRoot). Locating the correct catalog file to verify the thumbprint of a driver file can require a substantial amount of time.

In addition to the load-time signature requirement that is enforced by the kernel-mode code signing policy, Plug and Play (PnP) device installation also enforces an install-time signing requirement. To comply with the PnP device installation signing requirements of Windows Vista and later versions of Windows, a driver package for a PnP device must have a signed catalog file.

Embedded signatures do not interfere with the signature of a catalog file because the thumbprints that are contained in a catalog file and the thumbprint in an embedded signature selectively exclude the signature part of the driver file.

Driver files are signed by using the SignTool tool.