Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies the software has no changes since it was signed and published.
Authenticode uses cryptographic techniques to verify publisher identity and code integrity. It combines digital signatures with an infrastructure of trusted entities, including certificate authorities (CAs), to assure users that a driver originates from the stated publisher. Authenticode allows users to verify the identity of the software publisher by chaining the certificate in the digital signature up to a trusted root certificate.
The software publisher uses Authenticode to sign the driver or driver package by tagging it with a digital certificate. The certificate verifies the identity of the publisher and enables recipients of the code to verify the integrity of the code. A certificate is a set of data that identifies the software publisher. A CA issues the certificate only after that authority verifies the software publisher's identity. The certificate data includes the publisher's public cryptographic key. The certificate is typically part of a chain of such certificates, ultimately referenced to a well-known CA such as VeriSign.
Authenticode code signing doesn't alter the executable portions of a driver. Instead, it completes the following actions:
Embedded signatures: The signing process embeds a digital signature within a nonexecution portion of the driver file. For more information, see Embedded signatures in a driver file.
Digitally signed catalog files: The signing process requires generating a file hash value from the contents of each catalog file (.cat) within a driver package. This hash value is included in a catalog file. The catalog file is then signed with an embedded signature. In this way, catalog files are a type of detached signature.
Note
The Hardware Certification Kit (HCK) includes test categories for various of device types. You can review the list of test categories for Windows Hardware Lab Kit (HLK) in the HLK API reference. If a test category for the device type is included in this list, the software publisher should obtain a Windows Hardware Quality Labs (WHQL) release signature for the driver package. However, if the HCK doesn't have a test program for the device type, the software publisher can sign the driver package by using the Microsoft Authenticode technology. For more information, see Signing drivers for public release.