almanach display
Tip: Launch the Signature Verification Tool from MSInfo.
Digital signing creates substantial benefits for the industry, including improved
system stability and reduced TCO. It is also beneficial for system administrators
who are given a mechanism to set policies for driver installation.
What is Driver Signing?
Driver Signing uses the existing Digital Signature cryptographic technology to
store identifying information in a "catalog file" (*.cat, or CAT file). CAT files
are stored in <Windir>\Catroot. This information identifies the driver as
having passed testing by WHQL (Windows Hardware Quality Labs). No change is made
to the driver binary itself. Instead, a CAT file is created for each driver package
and the CAT file is signed with a Microsoft digital signature. The relationship
between the driver package and its CAT file is referenced in the driver’s INF
file and is maintained by the system after the driver is installed.
INF File Changes
The digital signature is stored in a CAT file. The following modifications to
INF files are required for hardware / software vendors who want to obtain digital
signature for their drivers:
- In the [Version] section of the INF, the entry CatalogFile = <filename.cat>
is added.
- An entry for the CAT file in the [SourceDisksFiles] section is added
Procedure
A vendor submits a driver package to WHQL that includes files named Sample.inf,
Sample.drv, and Sample.txt. If the package passes WHQL testing, WHQL will return
the original Sample.inf, Sample.drv and Sample.txt with the addition of Sample.cat
Signature Verification Tool [SIGVERIF.EXE]
The utility searches either for non-signed files or signed files depending on
the selection of this list box. A signed file is a file that has been granted
a Microsoft digital signature. The signature states that the file is an unaltered
copy of the original file. The intent is an easy to use tool that can quickly
display any non-Microsoft certified files.
Using the Signature Verification Tool
Launch the tool from MSInfo or Start, Run and type Sigverif. The default search
is for non-signed files. The tool's functionality is similar to the Find utility.
In addition, the result view includes two new columns OS Platform and Signed
By.
Signatures and System Policies
Windows 98 and Windows NT 5.0 provide users with the opportunity to set a three-level
system policy for driver installation:
Level 1
Allows the user to disable digital signature checking. If signature checking
is disabled, a dialog box identifying whether the driver was digitally signed
will not appear at the time of driver installation, and all drivers will be
allowed to be installed on the system whether signed or not.
Level 2
Allows the user to detect whether the driver being installed has passed WHQL
testing. In this case, a message appears whenever a user tries to install a
driver that fails the signature check.
Level 3
Allows the user to block installation of a driver that fails the signature check.
A dialog box will inform the user that the driver cannot be installed because
it is not digitally signed.
Certificate Property Sheet
To view the signature, right click a .CAT file for properties and click the
Digital Signatures button. The Signature list with a Details button appears.
Choosing Details reveals a new Window showing a General and an Advanced option:
If you choose View Certificate all details for this certificate will be displayed: