I am developing a product which utilizes an MSP430 microcontroller with a built-in USB module. I obtained a PID from Texas Instruments and used their tools to generate the descriptors, as well as a .inf file to install the driver software. The obvious issue is that due to the custom nature of these files, a popup is presented (on Windows 7) upon plugging in the USB cable that warns the user that the driver is not signed. I believe on Windows 8 and Windows 10 it simply blocks it and does not indicate this to the user at all.
As this is a full-featured product which my company is planning to release, we need to obtain a driver certificate (I believe in the form of a .cat file?) that we can provide to the customer so that they can install the device driver software without issue.
I have been through quite a bit of the Microsoft documentation (most notably this document) trying to get a grasp of what is required in order to get a driver signed, but unfortunately this is over my head at the moment.
This is what I think I understand so far:
- I need to submit my driver (.inf file?) to a Microsoft-authorized certificate authority (CA). There are a number of these out there, so I would need to find one that signs drivers.
- After selecting a CA, generally I will need to pay an annual fee (most commonly for 1, 2, or 3 years) for their service. Any drivers I generate during this time will be permanently signed, even after the service expires. If I want to change the driver or create a new one after the service has expired, I will need to buy service for another 1, 2, or 3 years.
- After paying the fee, the CA will generate a .cat file which is a certificate assuring that the driver I gave them will not be changed. If it does it will no longer match the .cat file and an error will appear during installation
Is this correct? At the risk of sounding like I'm seeking recommendations for specific CAs (I'm not, mind you), where can I find a list of CAs that are able to do this certification for me? Even better would be their websites and/or prices for different service durations. Has anyone here had direct experience getting a driver for a USB microcontroller-based product signed by a CA, who would be able to help me understand and get through the process? I have already posted to the MSDN forums but it seems pretty dead there – It's been two days and my thread only has a handful of views.
Best Answer
It's not so bad, actually. I've done this a few times at work, writing and signing an .INF/.CAT for a Microchip PIC24FJ64GB002-based USB CDC-ACM-to-I2C interface.
Establish a relationship with a certificate authority. You will need to provide them some basic information which they will validate. If you go for Extended Validation (EV) they will ask for a lot more, but you shouldn't need to go that far. Thawte, Digicert and Comodo are some examples of CAs.
Purchase an Authenticode code-signing certificate from the CA. This is what you need to sign the .CAT file associated with your .INF file. You don't need a kernel-mode certificate for this level of signing.
Install the certificate (goes without saying)
Download the Windows SDK framework and Windows Driver Kit to get the Microsoft tools needed (catalog generation and signing).
Package and sign the drivers:
From this point you could make some sort of driver installer, or use dpinst from the SDK to do basic installation automation.
EDIT: Notes from various comments below:
Further expansion on your questions: