Overview
Windows requires all drivers to be digitally signed before installation. This page covers signing requirements for development, testing, and production distribution.Signing Methods
There are two main approaches to driver signing:| Method | Use Case | Certificate Required | Cost |
|---|---|---|---|
| Test Signing | Development and testing | Self-signed certificate | Free |
| Production Signing | Public distribution | EV Code Signing Certificate | $$$ |
Test Signing for Development
When to Use Test Signing
Test signing is appropriate for:- Local development and debugging
- Internal testing
- Non-production environments
- Learning driver development
Creating a Test Certificate
Use the Windows SDK toolMakeCert to create a test certificate:
-r- Create self-signed certificate-pe- Mark private key as exportable-ss PrivateCertStore- Certificate store name-n "CN=..."- Certificate subject name
Installing the Test Certificate
Install the certificate to the Trusted Root Certification Authorities store:- Run
certmgr.mscas Administrator - Right-click Trusted Root Certification Authorities → Certificates
- Select All Tasks → Import
- Browse to your
.cerfile and import - Repeat for Trusted Publishers
Enabling Test Signing Mode
Enable test signing on Windows:Signing the Driver Package
Sign your compiled driver:/v- Verbose output/s PrivateCertStore- Certificate store name/n "..."- Certificate subject name/t http://...- Timestamp server URL
Verifying Signature
Check if signing was successful:Production Signing
Requirements for Public Distribution
For publicly distributed drivers, you need:-
Extended Validation (EV) Code Signing Certificate
- Must be from a Microsoft-trusted Certificate Authority
- Hardware token (USB) required for EV certificates
- Costs typically 400/year
-
Windows Hardware Compatibility Program
- Submit driver to Microsoft Hardware Dev Center
- Driver tested and signed by Microsoft (attestation signing)
- Free but requires approval
Getting an EV Code Signing Certificate
Trusted certificate authorities include:- DigiCert
- Sectigo (formerly Comodo)
- GlobalSign
- Entrust
- Purchase EV Code Signing Certificate from CA
- Complete identity verification (requires legal business documents)
- Receive hardware token with certificate
- Install certificate on development machine
SignPath.io for Open Source Projects
The Virtual Display Driver project uses SignPath.io:Free code signing on Windows is provided by SignPath.io, certificate by SignPath Foundation.
- Free code signing service
- Integrates with GitHub Actions
- Provides trusted certificates
- See SignPath documentation for setup
Microsoft Hardware Dev Center Signing
Attestation Signing Process:-
Register:
- Create account at Microsoft Hardware Dev Center
- Requires EV Code Signing Certificate
-
Prepare Driver Package:
-
Submit for Attestation:
- Upload .cab file to Dev Center
- Microsoft validates and signs the driver
- Download signed package
-
Distribution:
- Microsoft-signed drivers install without test mode
- Compatible with all Windows versions
Attestation-signed drivers work on Windows 10 version 1607 and later. For earlier versions, WHQL signing is required.
Signing in Visual Studio Build Process
Automatic Signing Configuration
Configure Visual Studio to automatically sign during build:- Right-click project → Properties
- Navigate to Driver Signing → General
- Set Sign Mode to “Test Sign”
- Set Test Certificate to your certificate
- Apply and rebuild
Project File Configuration
The MttVDD project includes signing configuration:- Debug builds: SHA1 (faster, test signing)
- Release builds: SHA256 (production standard)
ARM64 Signing Considerations
For ARM64 Windows devices:- Enable test signing mode (as described above)
- Sign driver with test certificate
- Alternatively, obtain Microsoft attestation signature
Signature Verification
Manual Verification
Check driver signature before installation:Windows UI Verification
- Right-click MttVDD.dll → Properties
- Navigate to Digital Signatures tab
- Select signature and click Details
- Verify certificate chain and validity
Driver Installation Verification
After installation:Security Best Practices
Certificate Protection
Best practices:- Store EV certificates on hardware tokens only
- Never share certificate private keys
- Use certificate password protection
- Limit certificate access to trusted build systems
- Revoke compromised certificates immediately
Test Signing Security
- Only enable test signing on isolated development machines
- Disable test signing when not actively developing
- Never distribute drivers signed with test certificates
- Remove test certificates when development is complete
Timestamp Servers
Always use timestamp servers when signing: Recommended timestamp servers:- DigiCert:
http://timestamp.digicert.com - Sectigo:
http://timestamp.sectigo.com - GlobalSign:
http://timestamp.globalsign.com
- Signature remains valid after certificate expires
- Proves signing time
- Required for long-term validity
Troubleshooting
Error: “The signature is invalid”
Cause: Corrupted signature or certificate issue Solution:- Re-sign with correct certificate
- Verify certificate is in Trusted Root
- Check timestamp server connectivity
Error: “Windows cannot verify the digital signature”
Cause: Test signing mode not enabled or untrusted certificate Solution:- Enable test signing:
bcdedit /set testsigning on - Install certificate to Trusted Root and Trusted Publishers
- Reboot
Error: “The specified store to be opened cannot be found”
Cause: Certificate store name incorrect Solution: Verify certificate store name matches MakeCert commandDriver Installation Fails with Code 52
Cause: Signature verification failure Solution:- Check Device Manager → Driver Properties → Events
- Verify signature with
signtool verify - Ensure all required certificates are installed
- Enable test signing if using test certificate
Next Steps
Building from Source
Build the driver before signing
Testing
Test your signed driver safely