Skip to main content

Sign hardware drivers to the HLK and HCK standard using KSP library

The Windows Hardware Lab Kit (Windows HLK) is a test framework used to test hardware devices and drivers for Windows 10, Windows 11, and all versions of Windows Server starting with Windows Server 2016. To qualify for the Windows Hardware Compatibility Program, your product must pass certain tests using the Windows HLK.

When testing older versions of Windows mentioned to be used for HLK above, use the older framework, the Windows Hardware Certificate Kit (Windows HCK).

Considerations

To load or run any of Windows’s devices, Microsoft requires digital signatures on all device driver packages. DigiCert supports signing with both new (HLK packages) and old (HCK packages) via the DigiCert​​®​​ Software Trust Manager KSP library.

Dica

Alternatively, HLK studio can be used for HLK signing, however it has limitations.

  • HLK studio only supports the unsafe and vulnerable SHA1 digest algorithm.

  • DigiCert​​®​​ Software Trust Manager KSP library supports the SHA-256 digest algorithm, which is significantly more secure.

Prerequisites

Sign

To sign the HLK packages, use the command:

C:\> hlk.exe sign --cert-sha1-fp <sha1 fingerprint> --digest-alg "http://www.w3.org/2001/04/xmlenc#sha256" --file x5-2-qa-2-uefi30110000-32G.hlkx
  • To sign the HLK packages, use the command:

    Nota

    The <sha1 fingerprint> parameter is the SHA1 fingerprint of the certificate synced to the local Windows certificate store using the smctl or smksp_cert_sync.exe command.

    Nota

    “http://www.w3.org/2001/04/xmlenc#sha256” is the constant used to signify the SHA-256 digest algorithm to use. The –digest-alg “http://www.w3.org/2001/04/xmlenc#sha256” parameter is optional.

Troubleshooting

No verb selected

Description

This occurs when your command does not specify a verb after hlk.exe.

Solution

Specify one of the following verbs:

Verbs

Description

sign

Sign HLK file.

verify

Verify signed HLK file.

help

Display more information on a specific command.

version

Display version information.

Required option 'file' is missing

Description

This error occurs when your command does not specify a required parameter.

Solution

Specify one of the following parameters:

Parameter

Description

–cert-sha1-fp

Certificate SHA1 fingerprint

–cert-file

Certificate file.

–digest-alg

Digest algorithm.

–file

HLK file (required).

–help

Display the help screen.

–version

Display version information.