Sign hardware drivers to the HLK and HCK standard

The Windows Hardware Lab Kit (Windows HLK) is a test framework used to test hardware devices and drivers for Windows 10, Windows 11, and all versions of Windows Server starting with Windows Server 2016. To qualify for the Windows Hardware Compatibility Program, your product must pass certain tests using the Windows HLK.

When testing older versions of Windows mentioned to be used for HLK above, use the older framework, the Windows Hardware Certificate Kit (Windows HCK).

Considerations

To load or run any of Windows’s devices, Microsoft requires digital signatures on all device driver packages. DigiCert supports signing with both new (HLK packages) and old (HCK packages) via the DigiCert® Software Trust Manager KSP library.

Sugerencia

Alternatively, HLK studio can be used for HLK signing, however it has limitations.

HLK studio only supports the unsafe and vulnerable SHA1 digest algorithm.
DigiCert® Software Trust Manager KSP library supports the SHA-256 digest algorithm, which is significantly more secure.

Prerequisites

Windows operating system
Download and configure Software Trust Manager clients
Configure KSP library
Configure your credentials
Certificate fingerprint

Sign

To sign the HLK packages, use the command:

C:\> hlk.exe sign --cert-sha1-fp <sha1 fingerprint> --digest-alg "http://www.w3.org/2001/04/xmlenc#sha256" --file x5-2-qa-2-uefi30110000-32G.hlkx

To sign the HLK packages, use the command:
Nota
The <sha1 fingerprint> parameter is the SHA1 fingerprint of the certificate synced to the local Windows certificate store using the smctl or smksp_cert_sync.exe command.
Nota
“http://www.w3.org/2001/04/xmlenc#sha256” is the constant used to signify the SHA-256 digest algorithm to use. The –digest-alg “http://www.w3.org/2001/04/xmlenc#sha256” parameter is optional.

Troubleshooting

No verb selected

Description

This occurs when your command does not specify a verb after hlk.exe.

Solution

Specify one of the following verbs:

Verbs	Description
sign	Sign HLK file.
verify	Verify signed HLK file.
help	Display more information on a specific command.
version	Display version information.

Required option 'file' is missing

Description

This error occurs when your command does not specify a required parameter.

Solution

Specify one of the following parameters:

Parameter	Description
–cert-sha1-fp	Certificate SHA1 fingerprint
–cert-file	Certificate file.
–digest-alg	Digest algorithm.
–file	HLK file (required).
–help	Display the help screen.
–version	Display version information.

En esta sección: