Menu

Code Signing Kernel Mode Driver on Windows

Jan 6, 2026

OVERVIEW: This page walks you through the process of Code Signing Kernel Mode Driver on the Windows platform. At the completion of this procedure, you will be able to sign a Kernel Mode Driver in Windows platform. For more Code Signing guidelines, please refer to this page

 

Prerequisites

ADVISORY: Windows 7 has recently been patched by Microsoft to support SHA256 signatures. Starting January 26, 2021, GlobalSign will no longer offer SHA-1 Authenticode and CodeSign Timestamping services.

Important SignTool Options

  • /ac Specify an Additional Certificate.
  • /f  Specify the signing Certificate in a file.
  • /p  Specify the password for the signing Certificate.
  • /fd Specify the file digest algorithm used in creating file signatures.
    • E.g. /fd sha256 to place a SHA256 signature (SHA1 is default).
  • /n "Certificate Common Name" Specifies the Certificate to sign the file from your Windows Certificate Store using the Certificate common name.
  • /t  Specify a Microsoft Authenticode compatible time stamp server.
  • /tr Specify an RFC 3161 compliant trusted time stamp server.

Guidelines

  1. In order for your driver to install successfully, the following file types in your project must be signed:
     
    • .sys
    • .cat
  2. You can either sign these files out of a working directory, or you can place them in your Windows SDK\bin folder.
  3. Acquire the Microsoft Code Signing Cross Certificate for GlobalSign and place it into your working directory.
  4. Use the following signtool command to sign the code:

    signtool sign /ac MSCrossCert.crt /f CodeSign.pfx /p password1234 /tr http://timestamp.globalsign.com/tsa/r45standard filter.sys

    This code will place a signature including the Cross Certificate, that is timestamped in compliance with RFC 3161.
  5. Next verify your signature using the following signtool command.

    signtool verify /v /kp

    -v is for a verbose output and -kp validates it according to kernel mode driver signing criteria.

    The output should look like this:
    Step 5.png
  6. Repeat the same process with the .cat file.
  7. Once the driver has been signed, you can install the properly signed driver.
    If the driver is signed properly the install screen will look like this (Windows 7):

    Step 7.png

Additional Resources

Full list of SignTool commands:
http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.110%29.aspx

Kernel-Mode Code Signing Walkthrough:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx

Digital Signatures for Kernel Modules on Windows:
http://msdn.microsoft.com/en-us/library/windows/hardware/gg487332.aspx

Related Articles

Code Signing Best Practices

Mar 2, 2020, 6:33 AM

GlobalSign recommends that developers follow best practices for the Code Signing process and for securely generating and storing private keys.

Read More

Order EV Code Signing Certificate (HSM-Based)

Mar 2, 2020, 6:51 AM

Read More

Download and Install Code Signing Certificate (HSM-Based)

Mar 2, 2020, 7:10 AM

This page walks you through the process of downloading and installing you GlobalSign Code Signing Certificate using HSM. At the completion of this procedure, your Certificate will be ready to place signatures on drivers, executables, and other files.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support