almanach display

What is Driver Signing?
Driver Signing uses the existing Digital Signature cryptographic technology to store identifying information in a "catalog file" (*.cat, or CAT file). CAT files are stored in <Windir>\Catroot. This information identifies the driver as having passed testing by WHQL (Windows Hardware Quality Labs). No change is made to the driver binary itself. Instead, a CAT file is created for each driver package and the CAT file is signed with a Microsoft digital signature. The relationship between the driver package and its CAT file is referenced in the driverís INF file and is maintained by the system after the driver is installed.

INF File Changes
The digital signature is stored in a CAT file. The following modifications to INF files are required for hardware / software vendors who want to obtain digital signature for their drivers:
- In the [Version] section of the INF, the entry CatalogFile = <> is added.
- An entry for the CAT file in the [SourceDisksFiles] section is added

A vendor submits a driver package to WHQL that includes files named Sample.inf, Sample.drv, and Sample.txt. If the package passes WHQL testing, WHQL will return the original Sample.inf, Sample.drv and Sample.txt with the addition of

Signature Verification Tool [SIGVERIF.EXE]
The utility searches either for non-signed files or signed files depending on the selection of this list box. A signed file is a file that has been granted a Microsoft digital signature. The signature states that the file is an unaltered copy of the original file. The intent is an easy to use tool that can quickly display any non-Microsoft certified files.

Tip: Launch the Signature Verification Tool from MSInfo.

Using the Signature Verification Tool
Launch the tool from MSInfo or Start, Run and type Sigverif. The default search is for non-signed files. The tool's functionality is similar to the Find utility. In addition, the result view includes two new columns OS Platform and Signed By.

Signatures and System Policies
Windows 98 and Windows NT 5.0 provide users with the opportunity to set a three-level system policy for driver installation:
Level 1
Allows the user to disable digital signature checking. If signature checking is disabled, a dialog box identifying whether the driver was digitally signed will not appear at the time of driver installation, and all drivers will be allowed to be installed on the system whether signed or not.
Level 2
Allows the user to detect whether the driver being installed has passed WHQL testing. In this case, a message appears whenever a user tries to install a driver that fails the signature check.
Level 3
Allows the user to block installation of a driver that fails the signature check. A dialog box will inform the user that the driver cannot be installed because it is not digitally signed.

Certificate Property Sheet
To view the signature, right click a .CAT file for properties and click the Digital Signatures button. The Signature list with a Details button appears. Choosing Details reveals a new Window showing a General and an Advanced option:

If you choose View Certificate all details for this certificate will be displayed:

Digital signing creates substantial benefits for the industry, including improved system stability and reduced TCO. It is also beneficial for system administrators who are given a mechanism to set policies for driver installation.