How to validate the Microsoft signature

This article shows you how to validate the Microsoft signature for a submission.

There are a couple cases where you might want to validate the Microsoft signature for a submission:

• You aren't sure if a driver is Microsoft signed or not, and you want to check.
• You have two drivers. You need to determine which one is attestation signed and which one is signed after submission of HLK/HCK results to the dashboard.

Step 1: Download signed driver files

Download the signed files you need to validate the Microsoft signature.

To download the driver signed files:

1. Find the hardware submission that contains the drivers that you want to download signed files for.
2. Select the Private Product ID to open the driver details.
3. On the driver details page, under Packages and signing properties, select More.
4. Select Download signed files.

Step 2: Check the Enhanced Key Usage (EKU)

Once you download the signed files, validate the Microsoft signature by checking the EKU. The EKU belongs to the certificate that Microsoft uses to sign the submission.

To check the EKU:

1. Right-click the .cat file.

2. Select Properties, and then select the Digital Signatures tab.

3. Select the name of the certificate, and then select Details.

4. On the Details tab, select Enhanced Key Usage. There, see the EKUs and corresponding object identifier (OID) values for the certificate. In this case, the Windows Hardware Driver Verification OID ends with a 5, which means that driver isn't attestation signed:

   

5. If the driver is attestation signed, the OID ends with a 1: