Sign hardware drivers to the HLK and HCK standard using KSP library
The Windows Hardware Lab Kit (Windows HLK) is a test framework used to test hardware devices and drivers for Windows 10, Windows 11, and all versions of Windows Server starting with Windows Server 2016. To qualify for the Windows Hardware Compatibility Program, your product must pass certain tests using the Windows HLK.
When testing older versions of Windows mentioned to be used for HLK above, use the older framework, the Windows Hardware Certificate Kit (Windows HCK).
Considerations
To load or run any of Windows’s devices, Microsoft requires digital signatures on all device driver packages. DigiCert supports signing with both new (HLK packages) and old (HCK packages) via the DigiCert® Software Trust Manager KSP library.
Dica
Alternatively, HLK studio can be used for HLK signing, however it has limitations.
HLK studio only supports the unsafe and vulnerable SHA1 digest algorithm.
DigiCert® Software Trust Manager KSP library supports the SHA-256 digest algorithm, which is significantly more secure.
Prerequisites
Windows operating system
Download and configure Software Trust Manager clients
Certificate fingerprint
Sign
To sign the HLK packages, use the command:
C:\> hlk.exe sign --cert-sha1-fp <sha1 fingerprint> --digest-alg "http://www.w3.org/2001/04/xmlenc#sha256" --file x5-2-qa-2-uefi30110000-32G.hlkx
To sign the HLK packages, use the command:
Nota
The
<sha1 fingerprint>
parameter is the SHA1 fingerprint of the certificate synced to the local Windows certificate store using the smctl or smksp_cert_sync.exe command.Nota
“http://www.w3.org/2001/04/xmlenc#sha256” is the constant used to signify the SHA-256 digest algorithm to use. The –digest-alg “http://www.w3.org/2001/04/xmlenc#sha256” parameter is optional.
Troubleshooting
No verb selected
Description
This occurs when your command does not specify a verb after hlk.exe.
Solution
Specify one of the following verbs:
Verbs | Description |
---|---|
sign | Sign HLK file. |
verify | Verify signed HLK file. |
help | Display more information on a specific command. |
version | Display version information. |
Required option 'file' is missing
Description
This error occurs when your command does not specify a required parameter.
Solution
Specify one of the following parameters:
Parameter | Description |
---|---|
–cert-sha1-fp | Certificate SHA1 fingerprint |
–cert-file | Certificate file. |
–digest-alg | Digest algorithm. |
–file | HLK file (required). |
–help | Display the help screen. |
–version | Display version information. |