What do I have to do and how much does it cost to get a device driver for Windows Vista / 7 (32 and 64 bit) signed?

Question

I've got some drivers which are basically LibUSB-Win32 with a new .inf file to describe product/vendor IDs and strings which describe my hardware. This works fine for 32 bit windows, but 64 bit versions have problems; namely that Microsoft in their wisdom require all drivers to be digitally signed.

So my questions are thus:

1. Is there a version of the LibUSB-Win32 drivers which are already signed I could use?
2. If there aren't already some signed ones I can canibalise, what exactly do I have to do to get my drivers signed.
3. Do I need to get 64 and 32 bit versions signed separately and will this cost more?
4. Is this a free alternative to getting them signed?
5. Are there any other options I should consider besides requiring that my customers boot into test mode each time they start their machines (not an option I'd consider).
6. Are there any other options for code signing apart from Verisign? Obviously a free/open source initiative like OpenID would be awesome ;-)

Answer 1

There are two separate issues at hand:

1. Signing the image file (i.e. the driver.sys file) to satisfy Kernel Mode Code Signing (KMCS)
2. Signing the driver package to satisfy driver installation (i.e. the driver.cat file).

If you take an existing driver signed by another entity (be it Microsoft's WinUSB or libusb-win32), that'll satisfy KMCS.

As to driver installation, you'd need your own Code Signing Certificate to sign a .cat file, which verifies that your .inf and the files it refers to (e.g. your .sys files) were not modified and truly come from you. It's somewhat less of a problem, since unlike KMCS (which stops your driver from loading), it won't prevent your driver from being installed but just present a warning to the user.

A Code Signing Certificate (make sure it supports KMCS!) will cost you hundreds of USD, depends on the CA you choose. Some might have plans which allow you to pay per signing event rather then globally per year. If you don't need to release many versions, this might be cheaper for you.

Answer 2

You might be able to get away with trying the libusb-winusb version of libusb which tries to implement most of the existing functionality around the winusb driver (which is a signed MS binary so you don't need to do it yourself). However YMMV as winusb doesn't 100% map to all the functionality required in libusb.