You may have an existing driver which is already signed before but then you may need to add some variants (eg: adding some VID/PID combination to an existing driver package), it will break the existing signature of the driver package.
There is a way to install this new driver package without getting a new EV signing certificate.
Ref: libwdi wiki:
https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores
The method is actually generic and not limiting to USB drivers. You should be able to sign the driver package by using the same method and then create an installer.
You can use dpscat (which uses libwdi) from libusbk project to make things a bit easier. You can use it to sign the driver package and then use dpinst/dpinst64 to install the driver package, you can also create a driver installer.
dpscat:
https://github.com/mcuee/libusbk/tree/master/libusbK/src/dpscat
Past discussions:
https://community.osr.com/discussion/271918/libwdi-and-windows-10
I believe there is a limitation that the kernel driver (.sys file) itself has to be signed and timestamped.
This method may be useful for those niche driver packages and niche use cases.
This method, of course, requires that the end user trust you enough to add a certificate to their “trusted store”. In addition, this will only work pre-WIndows 10. If you have “secure boot” set with Windows 10, your driver binary must be signed by Microsoft.
Yes, of course the end user needs to trust the driver package provider.
The precondition is that the driver binary (.sys) file is signed prior to Windows 10 (for non Microsoft driver) and with valid time stamp, no need to be signed with Microsoft, but with valid code signing certificate at the timestamp time. For example, libusb0.sys version 1.2.6.0 was signed in Jan 2012 with a GlobalSign code (SHA1) signing certificate. libusbk.sys version 3.0.7.0 was signed in April 2014 with a Digicert EV code signing certificate (SHA1). WinUSB.sys itself is signed by Microsoft. You can use any other driver which meets this requirement.
With this precondition, the driver package (sys, inf, cat, etc) does work under Windows 10, with secure boot on.
I have tested this method along the way since 2015 to now across different version of Windows 10, with secure boot on.
https://community.osr.com/discussion/271918/libwdi-and-windows-10
From Tim in Nov 2015:
libwdi is an open source installer for USB drivers, designed
specifically as a companion for the libusb generic USB library, which
requires a kernel driver (either WinUSB or one of the alternatives that
were created before WinUSB existed). They generate a new certificate
for each run, then install that certificate in the “Trusted Certificate
Store”. By generating a new certificate each time, rather than using
some common certificate, they are trying to maintain a semblance of
security and accountability.
The scheme satisfies KMCS prior to Windows 8, and for the time being
even works on Windows 10. This is yet another data point that
contradicts the “attestation required” assertion, because these test
certificates are, of course, being generated after the magic August 1
date. The evidence strongly suggests that the attestation requirement
has not yet been enabled, and is waiting for some magic date to crush us
all.