获取由 Microsoft 签名的适用于多个 Windows 版本的驱动程序Get drivers signed by Microsoft for multiple Windows versions

如何提交到仪表板How to submit to the dashboard

本主题介绍如何将驱动程序等提交到仪表板,以及将它应用到多个版本的 Windows。This topic explains how to make a submission to the dashboard, such as a driver, and have it apply to multiple versions of Windows. 本主题还介绍如何在 Microsoft 对其进行签名后检索提交,以及如何验证 Microsoft 签名。This topic also covers how to retrieve the submission after Microsoft signs it, and how to validate the Microsoft signature.

有两种方法可以将仪表板提交应用到 Windows 10 和较早版本的 Windows:There are two ways to make a dashboard submission apply to Windows 10 and earlier versions of Windows:

  1. 使用 Hardware Lab Kit (HLK) 针对 Windows 10 测试你的提交,而使用硬件认证工具包 (HCK) 针对较早版本的 Windows 测试提交。Use the Hardware Lab Kit (HLK) to test your submission against Windows 10 and use the Hardware Certification Kit (HCK) to test against earlier versions of Windows. 然后,创建一个包含所有合并 HLK/HCK 测试结果的仪表板提交。Then create a dashboard submission that includes all the merged HLK/HCK test results. 在提交过程中,可以选择加入以获取适用于 Windows Vista 和 Windows XP 的免费签名,如本主题的后面部分所示。During the submission process, you can opt-in to get a free signature for Windows Vista and Windows XP, as shown later in this topic. 若要选择加入 Windows Server 2008,请提供来自 Windows 徽标工具包 (WLK) 提交的提交 ID。To opt-in for Windows Server 2008, provide a submission ID from a Windows Logo Kit (WLK) submission. 这是使提交适用于所有 Windows 版本的唯一方法。This is the only way to make a submission apply to all Windows versions.
  2. 作为 HLK 和 HCK 测试的替代方法,可以自行交叉签名 你的驱动程序,并将它提交到仪表板以供验证签名,以便它还可以在 Windows 10 上运行。As an alternative to HLK and HCK testing, you can cross-sign your driver yourself and submit it to the dashboard for attestation signing so that it also works on Windows 10. 这个方法更复杂,但仍是一个有效选项。This is more complicated, but still a valid option. 但请务必注意,通过此方法签名的提交在 Windows Server 2016 上不可用。But it’s important to note that a submission signed this way will not work on Windows Server 2016. 有关如何对驱动程序进行证明签名的详细信息,请参阅对内核驱动程序进行证明签名以便公开发布For more information about how to attestation sign a driver, see Attestation signing a kernel driver for public release. 重要提示 除非可通过全新 Windows 硬件开发人员中心仪表板对驱动程序签名,否则仍必须使用硬件开发人员中心 (Sysdev) 对驱动程序进行证明签名。Important You must still use Hardware Dev Center (Sysdev) to attestation sign a driver until driver signing is available through the new Windows Hardware Dev Center dashboard.

本主题会提供有关用于上下文的仪表板的一些背景信息,然后演练使用 HLK/HCK 的过程。This topic will provide some background info about the dashboard for context, then walk through the process for using the HLK/HCK.

在仪表板中,有两个与签名提交有相关的选项 – 你可以使用任一方法获取 Microsoft 签名的驱动程序。In the dashboard, there are two options related to signing submissions – either way, you can get a Microsoft-signed driver. 硬件兼容性选项意味着你已走了额外的距离,并满足 Windows 硬件兼容性计划要求。The Hardware compatibility option means you’ve gone the extra distance and met Windows Hardware Compatibility Program requirements. 这将给予你 Microsoft SmartScreen 附带的信誉、经认证的产品列表的可见性和其他业务好处。This gives you reputation with Microsoft SmartScreen, visibility on the Certified Products List, and other business benefits.

对于背景,存在两种需要考虑的代码签名操作:For background, there are two code signing operations to consider:

  • 一种是将组织标识为仪表板的代码签名操作。One is a code signing operation that identifies an organization to the dashboard. 这是对你计划提交的程序包的签名,并且它是仪表板强加于合作伙伴的一项要求,以便仪表板可以阻止你组织以外的恶意用户使用你的凭据进行提交 - 这可能有损你的信誉!This is a signature on the package you plan to submit, and it’s a requirement that the dashboard imposes on partners so that the dashboard to prevent malicious people outside your organization from making submissions using your credentials – which could harm your reputation!
  • 另一种是 Microsoft 实际上对你提交的个别文件(例如,你的驱动程序)进行签名。The other is where Microsoft actually signs the individual files within your submission, such as your driver.

必须具有绑定到公司的 EV 证书才能访问仪表板中的提交功能。You must have an EV certificate bound to your company to access submission features in the dashboard.

若要在硬件开发人员中心 (Sysdev) 中确认用于标识组织的证书,需要以组织帐户的管理员身份登录。To confirm the certificate that is used to identify your organization within Hardware Dev Center (Sysdev), you need to be logged in as an Administrator for your organization’s account. 然后,依次选择管理>上传新的数字证书Then select Administration > Upload a new digital certificate.

若要在新的 Windows 硬件开发人员中心仪表板内确认用于标识组织的证书,请参阅更新代码签名证书To confirm the certificate that is used to identify your organization within the new Windows Hardware Dev Center dashboard, see Update a code signing certificate.

登录到仪表板并准备好对你的提交签名后,可以使用标准代码签名证书或 EV 代码签名证书。After you sign in to the dashboard and you are ready to sign your submission, you can use either a standard code signing cert or an EV code signing cert. 这适用于所有操作系统版本,不只适用于 Windows 10。This is true for all operating system versions, not just Windows 10.

这是策略的最新更改This is a recent change in policy. 如果你有绑定到你组织帐户的 EV 证书,可以放心开始安装 - 即,当你提交你的程序包时,可以继续使用标准 SHA-2 证书。If you have an EV cert bound to the account for your organization, you’re good to go – that is, you can continue to use a standard SHA-2 certificate when you submit your package.

如何提交 HLK 测试结果How to submit HLK test results

下面介绍了如何将 HLK 测试结果提交到仪表板。Here's how to submit HLK test results to the dashboard. 有单独的选项卡可供你查看已运行的测试和测试结果。There are separate tabs where you can see what tests were run and the test results. 针对仪表板目的,HLK 项目最感兴趣的部分是程序包选项卡:For dashboard purposes, the most interesting part of an HLK project is the Package tab:

HLK 程序包

单击要打开项目的文件路径。Click the file path for the project to open it. 在此情况下,提交为一个驱动程序。In this case, the submission is one driver.

驱动程序

假设你想要从头开始创建提交程序包Let’s say you want to create a submission package from scratch. 在 HLK 中,单击添加驱动程序文件夹In the HLK, click Add Driver Folder.

添加驱动程序文件夹

现在是你对你的提交所支持的操作系统版本进行声明的第一次机会。Now is you first chance to make declarations about the OS versions that are supported for your submission. 在此情况下,该提交经测试适用于 Windows 10 x64 和较早版本的 Windows 。In this case, the submission has been tested for Windows 10 x64 and earlier versions of Windows.

操作系统的限制性条件

还需要针对区域设置进行声明。You also need to make declarations for locales. 例如,视你驱动程序的设计和架构而定,可以选择以不同的区域设置显示不同的字符串。For example, depending on the design and architecture of your driver, you may choose to display different strings in different locales. 在这种情况下,实际上你可能有适用于不同区域设置的不同已编译的二进制文件。In that case, you might actually have different compiled binaries for different locales. 因此,对于一台设备,你可能准备了一百个不同的驱动程序;每个区域设置一个驱动程序。So for one device, you might have a hundred different drivers; one for each locale.

区域设置

若要添加符号,右键单击驱动程序文件夹。To add symbols, right-click the driver folder.

添加符号

单击添加补充文件夹以提交对该提交非常重要的其他文件,但这些文件实际上并不是提交本身的组成部分。Click Add Supplemental Folder to submit other files that are important to the submission but are not actually part of the submission itself. 你可以将任何所需的内容添加到程序包。You can add any content you want to the package. 你可以使用此方法来将对提交非常重要的其他项目提交到仪表板,例如用于驱动程序提交的自述文件。This is a way for you to get other items to the Dashboard that are important for the submission, such as a readme file for a driver submission.

添加补充文件夹

在你准备好后,单击创建程序包When you are ready, click Create Package.

创建程序包

下一步是指定你将用于签名程序包的证书 - 这是本主题开头部分所介绍的两种代码签名操作中的第一个。The next step is to specify a certificate that you will you use to sign the package – this is the first of the two code signing operations that were covered at the start of this topic. 可以单击“使用证书文件”*来指定存储在诸如 USB 驱动器等设备上的证书,或者单击“使用证书存储”来指定已导入本地计算机的证书存储的证书。You can click **Use a certificate file* to specify a certificate that is stored on something like a USB drive, or click Use the certificate store to specify a certificate that has been imported into the certificate store of the local computer.

使用证书存储

在单击“确定”*后,命名该程序包即会创建它并进行签名(假定你在要用于提交的计算机上已安装了证书),然后你将收获友好的成功消息。After you click *OK, you name the package and it gets created and signed (assuming you have a certificate installed on the computer you are using for the submission), and you’ll get back a friendly success message.

同时程序包在 Signability 下标有绿色复选标记:And the package has a green check under Signability:

Signability

后续步骤发生在 Windows 硬件开发人员中心仪表板中。The next steps occur in the Windows Hardware Dev Center dashboard. 登录并按照创建新硬件提交 中的说明上传 HLK 程序包。Sign in and follow the instructions in Create a new hardware submission to upload your HLK package.

如何检索 Microsoft 已签名的提交How to retrieve a submission after Microsoft signs it

对于已提交到 Windows 硬件开发人员中心仪表板的 HLK 或 HCK 提交:For an HLK or HCK submission that you submitted to the Windows Hardware Dev Center dashboard:

  • 查找硬件提交,其中包含你想要下载文件签名的驱动程序。Find the hardware submission that contains the drivers that you want to download signed files for. 选择 ID 打开驱动程序详细信息。Select the ID to open the driver details. 在该页面上,展开包含要下载的驱动程序的程序包的“程序包”选项卡,然后单击“下载已签名文件”。On that page, expand the package tab for the package containing the driver you want to download and click “Download signed files”.

对于已提交到硬件开发人员中心 (Sysdev) 的 WLK 提交、系统提交或证明签名的驱动程序:For a WLK submission, system submission, or attestation signed driver that you submitted to Hardware Dev Center (Sysdev):

  • 依次选择硬件兼容性>管理提交>;在摘要和任务选项卡上,如果状态为已批准,则表示可以随时检索提交。Select Hardware Compatibility > Manage submissions > and on the Summary and Tasks tab, if the status is Approved, the submission is ready to be retrieved. 在屏幕右下角的“下载”*下,单击“已签名的驱动程序包”Under **Download* in the lower right corner of the screen, click Signed driver package. Microsoft 将流式传输内存中包含已签名提交的 zip 文件。Microsoft will stream an in-memory zip file that includes the signed submission.

提交文件夹内将是程序包文件。Inside the submission folder will be the package files. 这些文件都由 Microsoft 进行签名。These files are signed by Microsoft. 合作伙伴无需对返回的负载进行签名。The partner does not have to sign the returned payload. Microsoft 始终返回内含已批准提交的 .cat 文件。Microsoft always returns a .cat file with an approved submission. 如果合作伙伴包含自己的 .cat 文件。If a partner includes its own .cat file. Microsoft 将丢弃它,并返回自己已签名的 .cat 文件。Microsoft discards it and returns its own signed .cat file.

过去,Microsoft 仅签名 .cat 文件。In the past, Microsoft only signed the .cat file. 从 Windows 10 开始,Microsoft 现在对返回负载中的所有可移植可执行文件进行签名。Starting with Windows 10, Microsoft now signs all of the portable executables in the returned payload. 例如,.dll 文件同样由 Microsoft 进行签名:For example, the .dll file is also signed by Microsoft:

由 Microsoft 签名的文件

如何验证 Microsoft 签名How to validate the Microsoft signature

在两种情况下,你可能希望验证提交的 Microsoft 签名。There are a couple cases where you may want to validate the Microsoft signature for a submission.

  1. 不确定驱动程序是否已由 Microsoft 进行签名,并且你想要检查。You aren’t sure if a driver has been signed by Microsoft or not, and you want to check.
  2. 有两个驱动程序,并且需要确定哪一个经由证明签名,哪一个是在向仪表板提交 HLK/HCK 结果后签名的。You have two drivers, and you need to determine which one was signed by attestation and which one was signed after submission of HLK/HCK results to the dashboard.

可以通过检查 Microsoft 签名提交所用证书的增强型密钥用法 (EKU) 来验证 Microsoft 签名。You can validate the Microsoft signature by checking the Enhanced Key Usages (EKUs) of the certificate that Microsoft signs the submission with. 若要检查 EKU,右键单击该 .cat 文件,然后单击“属性”*To check the EKU, right-click the .cat file and click *Properties. 依次单击数字签名选项卡、该证书的名称,然后单击详细信息Click the Digital Signatures tab, click the name of the certificate, and then click Details.

Eku 详细信息

在证书详细信息选项卡上,单击增强型密钥用法On the certificate Details tab, click Enhanced Key Usage. 你将在该处看到 EKU 和证书的相应 OID 值。There you will see the EKUs and corresponding OID values for the certificate. 在此情况下,Windows 硬件驱动程序验证 OID 以 5 结尾,这意味着驱动程序未由证明进行签名:In this case, the Windows Hardware Driver Verification OID ends with a 5, which means the driver has not been signed by attestation:

认证

如果驱动程序已由证明签名,那么 OID 将以 1 结尾:If the driver had been signed by attestation, then the OID would end with a 1:

签名的证明

向 Microsoft 发送有关该主题的评论Send comments about this topic to Microsoft