Posted on August 29, 2014 · Posted in Windows 7

How to Sign an Unsigned Driver for Windows 7 x64

By default, all 64-bit Windows versions, starting from Windows 7, prohibit to install drivers of the devices that do not have a valid digital signature. The digital signature guarantees (to some extent) that the driver has been issued by a certain developer or vendor, and its code hasn’t been modified after it was signed.

In Windows 7 x64, there are several ways to disable the verification of a digital signature of the installed driver: with a group policy or a test boot mode.

Today we’ll show how to sign any unsigned driver for the 64-bit version of Windows 7.

Important. This article applies to Windows 7 only, you won’t be able to sign a driver for Windows 8 or Windows 8.1 using this method.

Suppose we have a certain device driver for Windows 7 x64 for which there is no digital signature (in our example, it is the driver for quite old video card). The archive with drivers for our Windows version has been downloaded from the manufacturer’s website and its contents has been extracted to c:\tools\drv1\. Let’s try to install the driver by adding it to Windows driver store with a standard tool pnputil.
Pnputil –a c:\tools\drv1\xg20gr.inf

Note. This command and all the next ones are run in the command line with administrator privileges.

During installation, the system displays a warning that it cannot verify the digital signature for this driver.

win7 x64 install unsigned driver

Let’s try to sign this driver with a self-signed certificate.

What Tools We Need

For our work, we need to download and install (with default settings) the following Windows app development tools.

Tip. Before installing these tools, make sure that you have the .NET Framework 4.

Create a Self-Signed Certificate and Private Key

Create a C:\DriverCert folder in the root directory.

Open the command line and go to the following directory:

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\bin

Create a self-signed certificate and private key, issued, say, for the company WinOSHub:
makecert -r -sv C:\DriverCert\Drivers.pvk -n CN="WinOSHub" C:\DriverCert\Drivers.cer
In process of creation the tool prompts you to specify a password for the key, let it be P@ss0wrd.

create private key password

Create a public key for a publisher certificate (PKSC) we have created earlier.

cert2spc C:\DriverCert\Drivers.cer C:\DriverCert\Drivers.spc

Combine the public key (.spc) and the private key (.pvk) in a single certificate file into a single file with format Personal Information Exchange (.pfx)

pvk2pfx -pvk C:\DriverCert\Drivers.pvk -pi P@ss0wrd -spc C:\DriverCert\Drivers.spc -pfx C:\DriverCert\Drivers.pfx -po P@ss0wrd

Preparation of the Driver Package

Create the directory C:\DriverCert\xg20 and copy all files from the folder into which the driver from the archive has been originally extracted (c:\tools\drv1\). Make sure that there are files with the extensions .sys and .inf among these files (in our case, they are xg20grp.sys and xg20gr.inf).

Go to the directory:

cd C:\WinDDK\7600.16385.1\bin\selfsign

Generate a CAT file (contains information about all the files in the driver package) on the base of the INF file.

inf2cat.exe /driver:"C:\DriverCert\xg20" /os:7_X64 /verbose

generate driver cat file

To make sure that the procedure was correct, check if the log file contains the messages:

Signability test complete.


Catalog generation complete.

After the command is executed, in the driver directory should be updated

Sign the driver with the self-signed certificate

Go to the directory

cd C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1\Bin

Sign the set of the driver files with the certificate we have created using Verisign as a timestamp service.

signtool sign /f C:\DriverCert\Drivers.pfx /p P@ss0wrd /t /v C:\DriverCert\xg20\

Sign driver with self signed certificate in win 7

Note. The digital signature of the driver is contained in the .cat file referenced in the .inf file.

Installing the Certificate

Since the certificate we created is self-signed, by default the system doesn’t trust it. Add our certificate in the local certificate store. You can do it using the following commands:

certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\DriverCert\Drivers.cer -s -r localMachine TRUSTEDPUBLISHER

Or with the graphical certificate import wizard (the certificate should be put in Trusted Publishers and Trusted Root Certification Authorities stores)

add certificate to truster publishers store

Note. You can check if the certificate we created is in the list of trusted certificated by opening the certificate management snap-in (certmgr.msc) and make sure that our certificate (issued for our company) is in the corresponding stores.

self-signed certificate in trusted publisher store

Installation of the Driver Validated with the Self-signed Certificate

Try to install the driver we have signed again using the command:

Pnputil –i –a C:\DriverCert\xg20\xg20gr.inf

Now you won’t see the warning of the missing digital signature of the driver, the system only asks you instead if you are sure you want to install this driver. By clicking «Install», you install the driver in the system.

install self-signed driver in windows 7 x64


Related Articles