How to get KMDF driver digital signature for release package (without test mode)

Hi,

I have developed KMDF driver for ISA card in windows 10 IOT. The driver is working fine, I have tested the driver with ‘test mode’ (enable kernel test mode - bcdedit /set testsigning on). Now I have to release the driver package to client, so it should work with normal mode (without test mode). If I disable test mode and install the driver, it shows "Windows cannot verify the digital signature for the drivers required for this device. in device manager and driver is not working properly.

I have read a lot about getting digital signature, still it is confusing. My driver is not a universal, I will not release to public, It belongs to specific embedded HW.

  1. Is it necessary to getting driver signature from Microsoft?
  2. Shall we skip this by any legal ways?
  3. If not, Please guide me to get a release signature.

Thanks in advance
Mohan.

If you can figure out a way to do the signing yourself, now that Microsoft has torn down the cross certificates, and if your clients are willing to run with “Secure Boot” turned off in the BIOS, then you shouldn’t need the signature. At least, I THINK this was true. It certainly was in the early years of Windows 10.

However, it’s not all that painful to get a Hardware Dashboard account and submit your driver for attestation signing.

  1. Is it necessary to getting driver signature from Microsoft?

Yes.

  1. Shall we skip this by any legal ways?

No.

  1. If not, Please guide me to get a release signature.

You want to use “Attestation Signing”… see https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-attestation.

Thanks for the replay!!

My client is willing to work in ‘test mode’, but they want to know whether it will create any potential issues while running the system long time in test mode?

If it will create anu issues, we need to go for driver signature. For that how much time & cost needed that information I can’t see anywhere.
Please help me on this time & cost details.

Thanks,
Mohan.

Your client does not want to run their system(s) in test mode. This is a security vulnerability.

Read what I already wrote: You want to use attestation signing. The time and cost depend on you.