How to Test-Sign a Driver Package
This section provides information about the basic steps that you have to follow when you test-sign a driver package.
Test-signing refers to using a test certificate to sign a prerelease version of a driver package for use on test computers. In particular, this allows developers to sign kernel-mode binaries by using self-signed certificates, such as those the MakeCert tool generates. This capability allows developers to test kernel-mode binaries on Windows with driver signature verification enabled.
Windows supports test-signed drivers only for development and testing purposes. Test-signed drivers must not be used for production purposes or released to customers.
This section includes topics that describe these steps and provide examples, such as the following:
Creating a test certificate that is used to sign a driver package. In this section, steps are described to create and use a self-signed test certificate named Contoso.com(Test). This certificate is used in many examples that are discussed in this section.
Test-signing the driver package's catalog file by using the Contoso.com(Test) certificate.
Test-signing a driver through an embedded signature by using the Contoso.com(Test) certificate.
Note You have to embed a digital signature within the driver if the driver is a boot-start driver.
Each topic in this section describes a separate procedure in the test-signing process, and provides the general information that you need to understand the procedure. In addition, each topic points you to other topics that provide detailed information about the procedure.
Throughout this section, separate computers are used for the various processes involved in test-signing a driver. These computers are referred to as follows:
This is the computer that is used to test-sign a driver package for Windows Vista and later versions of Windows. This computer must be running Windows XP SP2 or later versions of Windows. In order to use the driver signing tools, this computer must have the Windows Vista and later versions of the Windows Driver Kit (WDK) installed.
The topics of this section use the ToastPkg sample driver package to introduce the test-signing process. Within the WDK installation directory, the ToastPkg driver package is located in the src\general\toaster\toastpkg directory.
Note The WDK contains a sample command script that shows the step-by-step procedure to correctly test-sign the ToastPkg sample driver package. You can modify this script to test-sign your own driver package. Within the WDK installation directory, the example is located at src\general\build\driversigning\selfsign_example.cmd. Additional instructions for test-signing are described in src\general\build\driversigning\selfsign_readme.htm.
This section includes the following topics: