v 1
July 5, 2020

HID Virtual Driver Kit

The to Emulate

Joystick, Keyboard and Mouse for Windows 7, 8, 8.1, 10 64 bit

Driver Signing

Why do Drivers Need to be Signed?

Microsoft has gradually increased the security around drivers and has for some time now required that drivers need to be signed before they can be installed. There are workarounds for installing unsigned drivers, such as disabling driver integrity checks, booting into test mode, or using the advanced boot menu. However, these workarounds are not practical for most users as they degrade the system security.

HVDK drivers are user-mode, so they require an OV (Organization Verification) code-signing certificate AND a compatible cross-signing certificate.

NOTE: if you plan to sign the drivers, you will need to purchase an OV (Organization Verification) code-signing certificate AND a compatible cross-signing certificate. Not all certificate vendors supply a code-signing certificate, so make sure a cross-signing certificate is available for your code-signing certificate. Using a more expensive EV (Extended Validation) *may* work, but we have not been able to confirm this. EV certificates are require to to sign kernel-mode drivers.

The Signed Drivers

HVDK Standard and Professional comes with drivers that are already signed by Tetherscript. You don’t need to sign these drivers. Right-click on /keyboard/ttcvcontrbk.cat and let’s take a look at a signature:

The Unsigned Drivers

HVDK Professional comes with an additional set of drivers that are identical to the signed drivers, except that we left them unsigned so that you can sign them yourself. This may be a good option for you if you need to ensure that your signature is used, due to end-user installation and security requirements.

Signing the Drivers

Use Microsoft’s SignTool utility which is included in the Windows SDK.

https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool

You’ll need to specify your timestamp server, certificate password, the cross-signing certificate .cer, certificate .pfx and path to the file to be signed. You’ll need to sign the following three files per driver:

  • ttcvcontrkb.cat
  • ttcvcontrkb.dll
  • ttcvcontrollershim.sys

signtool.exe sign /v /p yourcertpassord /ac "yourcrosssigncert.cer" /f "yourcert.pfx" /tr http://timestamp.comodoca.com/rfc3161 "c:\drivers\kb\ttcvcontrkb.cat"

signtool.exe sign /v /p yourcertpassord /ac "yourcrosssigncert.cer" /f "yourcert.pfx" /tr http://timestamp.comodoca.com/rfc3161 "c:\drivers\kb\ttcvcontrkb.dll"

signtool.exe sign /v /p yourcertpassord /ac "yourcrosssigncert.cer" /f "yourcert.pfx" /tr http://timestamp.comodoca.com/rfc3161 "c:\drivers\kb\ttcvcontrollershim.sys"

Once the drivers are signed, they are ready to install.