microsoft · gurry · May 27, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/crates/cargo-wdk/README.md b/crates/cargo-wdk/README.md
@@ -65,16 +65,17 @@ Usage: cargo wdk build [OPTIONS]
 Options:
       --profile <PROFILE>          Build artifacts with the specified profile
       --target-arch <TARGET_ARCH>  Build for the target architecture
+      --sign-mode <SIGN_MODE>      Driver signing mode [default: test] [possible values: off, test]
       --verify-signature           Verify the signature
       --sample                     Build sample class driver project
-  -h, --help                       Print help
+  -h, --help                       Print help (see more with '--help')
 
 Verbosity:
   -v, --verbose...  Increase logging verbosity
   -q, --quiet...    Decrease logging verbosity
 ```
 
-`build` takes a number of inputs specifying build profile (`dev` or `release`), target architecture (`amd64` or `arm64`), a flag enabling signature verification and a flag indicating a sample driver along with verbosity flags.
+`build` takes a number of inputs specifying build profile (`dev` or `release`), target architecture (`amd64` or `arm64`), the driver signing mode, a flag enabling signature verification and a flag indicating a sample driver along with verbosity flags.
 
 When the command completes the packaged driver artifacts are emitted at the path `target\<profile>\<project-name>-package`.
 
@@ -90,9 +91,14 @@ If you have a workspace with a mix of sample and non-sample driver projects, the
 
 #### Signing and Verification
 
-To sign driver artifacts `build` looks for a certificate called `WDRLocalTestCert` in a store called `WDRTestCertStore`. Make sure you place your signing certificate there with that name. If no certificate is found, `build` will automatically generate a new self-signed one and add it for you.
+The `--sign-mode` flag controls how driver artifacts are signed. It accepts the following values:
 
-If the `--verify-signature` flag is provided, the signatures are verified after signing. For verification to work, make sure you add a copy of the signing certificate in the `Trusted Root Certification Authorities` store. For security reasons `build` does not automatically do this even when it automatically generates the cert. You will have to always perform this step manually. 
+- `test` (default): Sign with an auto-generated self-signed certificate. `build` looks for a certificate called `WDRLocalTestCert` in a store called `WDRTestCertStore`. Make sure you place your signing certificate there with that name. If no certificate is found, `build` will automatically generate a new self-signed one and add it for you.
+- `off`: Skip signing entirely. No signing or signature verification steps are performed. This is useful when you intend to sign the driver later with your own toolchain (for example, HLK certification). Note that an unsigned driver cannot be installed on Windows without first enabling [test signing](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option) or otherwise loading it through a signed mechanism.
+
+If the `--verify-signature` flag is provided, the signatures are verified after signing. For verification to work, make sure you add a copy of the signing certificate in the `Trusted Root Certification Authorities` store. For security reasons `build` does not automatically do this even when it automatically generates the cert. You will have to always perform this step manually.
+
+`--verify-signature` cannot be combined with `--sign-mode=off` because there is no signature to verify. Passing both will cause `build` to fail with an error.
 
 #### Examples
 
@@ -113,3 +119,9 @@ If the `--verify-signature` flag is provided, the signatures are verified after
     ```pwsh
     cargo wdk build --target-arch amd64
     ```
+
+- To build a driver project and skip signing (for example, to sign later with a production certificate), run:
+
+    ```pwsh
+    cargo wdk build --sign-mode off
+    ```
diff --git a/crates/cargo-wdk/src/actions/build/mod.rs b/crates/cargo-wdk/src/actions/build/mod.rs
@@ -22,6 +22,7 @@ use build_task::BuildTask;
 use cargo_metadata::{CrateType, Message, Metadata as CargoMetadata, Package, TargetKind};
 use error::BuildActionError;
 use mockall_double::double;
+pub use package_task::SignConfig;
 use package_task::{PackageTask, PackageTaskParams};
 use tracing::{debug, error as err, info, trace, warn};
 use wdk_build::{
@@ -37,7 +38,7 @@ pub struct BuildActionParams<'a> {
     pub working_dir: &'a Path,
     pub profile: Option<&'a Profile>,
     pub target_arch: Option<CpuArchitecture>,
-    pub verify_signature: bool,
+    pub sign_config: SignConfig,
     pub is_sample_class: bool,
     pub verbosity_level: clap_verbosity_flag::Verbosity,
 }
@@ -48,7 +49,7 @@ pub struct BuildAction<'a> {
     working_dir: PathBuf,
     profile: Option<&'a Profile>,
     target_arch: Option<CpuArchitecture>,
-    verify_signature: bool,
+    sign_config: SignConfig,
     is_sample_class: bool,
     verbosity_level: clap_verbosity_flag::Verbosity,
 
@@ -93,7 +94,7 @@ impl<'a> BuildAction<'a> {
             working_dir: absolute(params.working_dir)?,
             profile: params.profile,
             target_arch: params.target_arch,
-            verify_signature: params.verify_signature,
+            sign_config: params.sign_config,
             is_sample_class: params.is_sample_class,
             verbosity_level: params.verbosity_level,
             wdk_build,
@@ -386,7 +387,7 @@ impl<'a> BuildAction<'a> {
                 working_dir,
                 target_dir: &target_dir,
                 target_arch: &target_arch,
-                verify_signature: self.verify_signature,
+                sign_config: self.sign_config,
                 sample_class: self.is_sample_class,
                 driver_model,
             },

diff --git a/crates/cargo-wdk/src/actions/build/package_task.rs b/crates/cargo-wdk/src/actions/build/package_task.rs
@@ -30,6 +30,20 @@ use windows::{
 use crate::providers::{exec::CommandExec, fs::Fs, wdk_build::WdkBuild};
 use crate::{actions::build::error::PackageTaskError, providers::error::FileError};
 
+/// Signing configuration.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SignConfig {
+    /// Skip certificate generation, signing, and signature verification
+    /// entirely.
+    Off,
+    /// Sign with an auto-generated self-signed certificate.
+    Test {
+        /// When `true`, run `signtool verify` on the signed driver binary and
+        /// catalog file after signing.
+        verify_signature: bool,
+    },
+}
+
 // FIXME: This range is inclusive of 25798. Update with range end after /sample
 // flag is added to InfVerif CLI
 const MISSING_SAMPLE_FLAG_WDK_BUILD_NUMBER_RANGE: RangeFrom<u32> = 25798..;
@@ -43,15 +57,15 @@ pub struct PackageTaskParams<'a> {
     pub working_dir: &'a Path,
     pub target_dir: &'a Path,
     pub target_arch: &'a CpuArchitecture,
-    pub verify_signature: bool,
+    pub sign_config: SignConfig,
     pub sample_class: bool,
     pub driver_model: DriverConfig,
 }
 
 /// Supports low level driver packaging operations
 pub struct PackageTask<'a> {
     package_name: String,
-    verify_signature: bool,
+    sign_config: SignConfig,
     sample_class: bool,
 
     // src paths
@@ -161,7 +175,7 @@ impl<'a> PackageTask<'a> {
 
         Self {
             package_name,
-            verify_signature: params.verify_signature,
+            sign_config: params.sign_config,
             sample_class: params.sample_class,
             src_inx_file_path,
             src_driver_binary_file_path,
@@ -236,6 +250,20 @@ impl<'a> PackageTask<'a> {
         self.copy(&self.src_map_file_path, &self.dest_map_file_path)?;
         self.run_stampinf()?;
         self.run_inf2cat()?;
+        self.run_infverif()?;
+        self.sign_and_verify()?;
+        Ok(())
+    }
+
+    /// Signs the driver binary and catalog file according to `self.sign_config`
+    /// and optionally verifies the resulting signatures. Returns a variant of
+    /// `PackageTaskError` if any step of the process fails.
+    fn sign_and_verify(&self) -> Result<(), PackageTaskError> {
+        let SignConfig::Test { verify_signature } = self.sign_config else {
+            info!("Sign mode is 'off'; skipping certificate generation, signing, and verification");
+            return Ok(());
+        };
+
         self.generate_certificate()?;
         self.copy(&self.src_cert_file_path, &self.dest_cert_file_path)?;
         self.run_signtool_sign(
@@ -248,13 +276,13 @@ impl<'a> PackageTask<'a> {
             WDR_TEST_CERT_STORE,
             WDR_LOCAL_TEST_CERT,
         )?;
-        self.run_infverif()?;
-        // Verify signatures only when --verify-signature flag = true is passed
-        if self.verify_signature {
+
+        if verify_signature {
             info!("Verifying signatures for driver binary and cat file using signtool");
             self.run_signtool_verify(&self.dest_driver_binary_path)?;
             self.run_signtool_verify(&self.dest_cat_file_path)?;
         }
+
         Ok(())
     }
 
@@ -635,7 +663,9 @@ mod tests {
             target_arch: &arch,
             driver_model: DriverConfig::Kmdf(KmdfConfig::default()),
             sample_class: false,
-            verify_signature: false,
+            sign_config: SignConfig::Test {
+                verify_signature: false,
+            },
         };
         let dest_root = target_dir.join(format!("{package_name}_package"));
 
@@ -644,7 +674,12 @@ mod tests {
         let fs = Fs::default();
         let task = PackageTask::new(package_task_params, &wdk_build, &command_exec, &fs);
         assert_eq!(task.package_name, package_name.replace('-', "_"));
-        assert!(!task.verify_signature);
+        assert_eq!(
+            task.sign_config,
+            SignConfig::Test {
+                verify_signature: false,
+            }
+        );
         assert!(!task.sample_class);
         assert_eq!(task.src_inx_file_path, working_dir.join("test_package.inx"));
         assert_eq!(
@@ -698,7 +733,9 @@ mod tests {
             target_arch: &arch,
             driver_model: DriverConfig::Kmdf(KmdfConfig::default()),
             sample_class: false,
-            verify_signature: false,
+            sign_config: SignConfig::Test {
+                verify_signature: false,
+            },
         };
 
         let command_exec = CommandExec::default();
@@ -724,7 +761,9 @@ mod tests {
             target_arch: &arch,
             driver_model: DriverConfig::Kmdf(KmdfConfig::default()),
             sample_class: false,
-            verify_signature: false,
+            sign_config: SignConfig::Test {
+                verify_signature: false,
+            },
         };
 
         let command_exec = CommandExec::default();
@@ -759,7 +798,9 @@ mod tests {
                         target_arch: &arch,
                         driver_model: DriverConfig::Kmdf(KmdfConfig::default()),
                         sample_class: false,
-                        verify_signature: false,
+                        sign_config: SignConfig::Test {
+                            verify_signature: false,
+                        },
                     };
 
                     let wdk_build = WdkBuild::default();