Jennifer Stepler spent some time whiteboarding at the MVP summit about signing. She was explaining that there are two different kinds of signing in the Windows world: Device Installer signing and Code Security Signing. Here are her notes:
In search-engine-findable text:
- DMI [device management & installation] -> .cat file
- Install Time
- 32 & 64-bit
- Unsigned Driver pop-up
- Unsigned
- Signed by untrusted cert
- Signed-by pop-up – signed by trusted cert
- Just [silently] install
- Built in Windows build lab
- WHQL logo signature
- Trusted cert from trusted publisher
Example of trusted cert path: MS root -> Verisign -> ATI
- 64-bit
- Untrusted binary will not load
- Signed with cert that roots to MS root authority
- MS signs:
- Windows build lab
- WHQL
- MS products
- Cross-sign with trusted cert & MS cross-cert
- CAT file (signed & loaded in CatDB) or the binaries
These notes resulted from about an hour of discussion, so they’re missing a lot of detail.

