Why does the hardware driver have WHQL digital signature

Time:2021-11-2

The hardware driver must have WHQL digital signature to realize normal installation, startup and operation, and silent installation of the driver.

In the current desktop operating system, the market share of windows system is dominant, and the systems of various versions of Windows account for almost most of the market. Therefore, many industrial and industrial hardware devices should be considered compatible for use on the windows system. In this process, it is inevitable to involve the use of the device driver (the driver is the bridge between the hardware device and the windows system to transmit data, and the hardware device without the driver cannot work normally). However, the windows system has an important requirement for the installation, startup and operation of the driver, That is, the relevant driver files need to be digitally signed.

If the driver file has been whqled in watcom Ca, there is a tab “digital signature” in the pop-up window of right-click properties. Click Details to see the details of the specific digital signature certificate.

What happens if the driver is installed without a digital signature? Let’s look at the following screenshot:

Warnings such as “Windows cannot verify the publisher of this driver software” or the driver does not have a valid digital signature are prompted when installing the driver without WHQL signature:

Why does the hardware driver have WHQL digital signature

Moreover, after the driver without digital signature is installed in windows, the device will display an exclamation mark in the device manager and cannot start work, as shown in the following figure:

Why does the hardware driver have WHQL digital signature

Therefore, if a hardware driver does not have a digital signature issued by Microsoft, it will be intercepted and warned by windows during installation, indicating that there is no digital signature or the driver does not have a publisher, and it is more likely that the device driver cannot start and does not work. All this stems from Microsoft’s protection of the windows system to prevent the damage caused by the driver without digital signature authentication to windows, because the driver will involve some important instructions in the system kernel, and a little carelessness will cause the crash and blue screen of the windows system.

A driver developer may want to ask, I can use the code signature certificate to digitally sign the driver. Why WHQL signature?

Because according to Microsoft’s new policy, the third-party kernel mode code signature cross certificate trusted by Microsoft will expire in April 2021. After that, Microsoft will become a provider of windows kernel mode code (driver) signatures. In other words, in the past, the code certificate issued by the third-party CA can be used by the signature driver because there is a cross certificate given by Microsoft when signing. Now the cross certificate given by Microsoft expires. Later, the driver signature rules actually change. The driver works in the system kernel mode, so most drivers need to pass WHQL test certification, In order to obtain the digital signature officially released by Microsoft, it can work normally.

The following is the expiration time of the trusted cross certificate issued by Microsoft to the third-party CA:

Why does the hardware driver have WHQL digital signature

At the same time, when installing the hardware driver after WHQL test, authentication and signature, the driver will be installed silently without any warning. It can give users a good use experience and make the driver have good stability. It will not pop up the following pop-up window (trusted publishers warning) when installing the driver after signing the code signature certificate:

Why does the hardware driver have WHQL digital signature

WHQL signature authentication actually has its own complexity and has a certain technical threshold. For many driver developers or developers of driver development enterprises, whether it is in the construction of authentication platform, understanding of Microsoft signature strategy, adaptability of driver signature to various versions of windows system, or even necessary modification of driver during authentication, It’s hard to master in detail. As an enterprise focusing on the field of digital certificates for many years, Watcom CA has mature WHQL testing experience and related technologies. According to the market demand, it provides a variety of driving developersWHQL certificationprogramme