司机必须交叉签字。创建自己的CA并将其添加到机器存储将不够，因为新创建的CA将不被Windows信任链信任。

Driver Signing Requirements for Windows

In Windows Vista and Windows Server 2008,new features take advantage of code-signing technologies,and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code.

Components must be signed by a certificate that Windows “trusts” as described in the white papers on this site.

提到的白皮书之一是Digital Signatures for Kernel Modules on Windows
，描述了加载过程，并解释了为什么自签名不足够：

When a driver is loaded into kernel memory,Windows Vista verifies the digital signature of the driver image file. Depending on the type of driver,this can be either the signed hash value in the catalog file or an embedded signature in the image file itself. The cross-certificates that are used when signing the kernel driver package are used for the load-time signature verification; each certificate in the path is checked up to a trusted root in the kernel. The load-time signature check does not have access to the Trusted Root Certificate Authorities certificate store. Instead,it must depend on the root authorities that are built into the Windows Vista kernel.

如前所述，这也在Requirements for Device Driver Signing and Staging页面上概述：

The 64-bit versions of Windows 7 and Windows Server 2008 R2 have special signature requirements for kernel mode device drivers. If you use a 64-bit version of Windows,then you cannot create your own certificate for signing. Instead,you must use a Software Publishing Certificate that chains to an approved certification authority (CA).

用于签名内核模式驱动程序的有效CA可以在以下页面找到：

Cross-Certificates for Kernel Mode Code Signing