Driver Signing

A signed driver is a device driver that includes a digital signature. A digital signature is an electronic security mark that indicates the publisher of the software, as well as whether someone has changed the original contents of the driver package. If a driver has been signed by a publisher that has verified its identity with a certification authority, you can be confident that the driver actually comes from that publisher and hasn’t been altered.

Because device drivers run with system-level privileges and can access anything on your computer, it is critical that you trust the device drivers that you install. Trust, in this context, includes two main principles:

• Authenticity is an assurance that the driver package came from its claimed source. It cannot be malicious code masquerading as something legitimate.
• Integrity is an assurance that the package is 100 percent intact, and has not been modified by anyone after it was released.

Windows uses digital certificates and digital signatures to provide support for these principles. A digital certificate identifies an organization, and it is trustworthy because it can be checked electronically by a certification authority (CA). A digital signature uses information in the organization’s digital certificate to encrypt specific details about the package.

The encrypted information in a digital signature includes a thumbprint, or hash, for each file included with the package. The thumbprint is generated by a special cryptographic algorithm referred to as a hashing algorithm. The algorithm generates a thumbprint that can only be recreated by using that file’s contents. Changing a single bit in the file changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog, and then encrypted.

Important The 64-bit versions of Windows 7 and Windows Vista require that all kernel mode device drivers be signed with a Software Publishing Certificate issued by an authorized third-party certification authority. If you use a 64-bit version of Windows, then you need a driver package that is signed.

Signing Warnings

Windows will alert you with one of the following messages if a driver is not signed, is signed by a publisher that has not verified its identity with a certification authority, or has been altered since it was released. If you see any of these messages when attempting to install a driver, you should visit your device manufacturer’s support website to obtain a digitally signed driver for your device.

• Windows can’t verify the publisher of this driver

o This driver either doesn’t have a digital signature, or it has been signed with a digital signature that was not verified by a certification authority. You should only install this driver if you obtained it from an original manufacturer’s disc or from your system administrator.

• This driver has been altered

o This driver was altered after it was digitally signed by a verified publisher. The package may have been altered to include malicious software that could harm your computer or steal information. In rare cases, legitimate publishers do alter driver packages after they have been digitally signed. You should only install an altered driver if you obtained it from an original manufacturer’s disc.

• Windows cannot install this driver

o A driver that lacks a valid digital signature, or that was altered after it was signed, can’t be installed on x64-based versions of Windows. As a result, you will only see this message if you are running an x64-based version of Windows.