Skip to content

Updated signing guidance for integritycheck binaries #3094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 21, 2021
Merged

Updated signing guidance for integritycheck binaries #3094

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2235f32
Updated signing guidance for integritycheck binaries
jgeurten Apr 19, 2021
4a12ee0
Rewrite for style and voice.
Apr 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 16 additions & 19 deletions docs/build/reference/integritycheck-require-signature-check.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,39 +1,36 @@
---
description: "Learn more about: /INTEGRITYCHECK (Require Signature Check)"
title: "/INTEGRITYCHECK (Require Signature Check)"
ms.date: "11/04/2016"
ms.assetid: 9e738825-2c98-40cd-8ad2-5d0d9c14893e
description: "Learn more about: /INTEGRITYCHECK (Require signature check)"
title: "/INTEGRITYCHECK (Require signature check)"
ms.date: 04/21/2021
---
# /INTEGRITYCHECK (Require Signature Check)
# `/INTEGRITYCHECK` (Require signature check)

Specifies that the digital signature of the binary image must be checked at load time.

```
/INTEGRITYCHECK[:NO]
```
> **`/INTEGRITYCHECK`**[**`:NO`**]

## Remarks

By default, **/INTEGRITYCHECK** is off.
By default, **`/INTEGRITYCHECK`** is off.

The **/INTEGRITYCHECK** option setsin the PE header of the DLL file or executable file—a flag for the memory manager to check for a digital signature in order to load the image in Windows. This option must be set for both 32-bit and 64-bit DLLs that implement kernel-mode code loaded by certain Windows features, and is recommended for all device drivers on Windows Vista, Windows 7, Windows 8, Windows Server 2008, and Windows Server 2012. Versions of Windows prior to Windows Vista ignore this flag. For more information, see [Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx).
The **`/INTEGRITYCHECK`** linker option sets a flag, `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY`, in the PE header of the DLL file or executable file. This flag tells the memory manager to check for a digital signature in order to load the image in Windows. This option must be set for both 32-bit and 64-bit DLLs that implement kernel-mode code loaded by certain Windows features. It's recommended for all device drivers on Windows Vista, Windows Server 2008, and all later versions of Windows and Windows Server. Versions of Windows prior to Windows Vista ignore this flag. For more information, see [Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx).

### To set this linker option in Visual Studio
### Signing `/INTEGRITYCHECK` files

1. Open the project **Property Pages** dialog box. For more information, see [Set C++ compiler and build properties in Visual Studio](../working-with-project-properties.md).
Microsoft has new signing guidance for DLL and executable files linked by using **`/INTEGRITYCHECK`**. The guidance used to recommend a cross-signed certificate from the [cross-signing program](/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing). However, the [cross-signing program is now deprecated](/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates). We recommend you sign your **`/INTEGRITYCHECK`** files by using the Microsoft [Azure Code Signing](https://techcommunity.microsoft.com/t5/video-hub/reduce-developer-friction-with-azure-code-signing/m-p/1698637) program instead.

1. Expand the **Configuration Properties** node.
### To set this linker option in Visual Studio

1. Expand the **Linker** node.
1. Open the project **Property Pages** dialog box. For more information, see [Set C++ compiler and build properties in Visual Studio](../working-with-project-properties.md).

1. Select the **Command Line** property page.
1. Select the **Configuration Properties** > **Linker** > **Command Line** property page.

1. In **Additional Options**, enter `/INTEGRITYCHECK` or `/INTEGRITYCHECK:NO`.
1. In **Additional Options**, enter *`/INTEGRITYCHECK`* or *`/INTEGRITYCHECK:NO`*. Choose **OK** to save your changes.

## See also

[MSVC linker reference](linking.md)<br/>
[MSVC Linker Options](linker-options.md)<br/>
[Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx)<br/>
[Kernel-Mode Code Signing Requirements](/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-)<br/>
[MSVC linker options](linker-options.md)<br/>
[Forced integrity signing of portable executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx)<br/>
[Kernel-mode code signing requirements](/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-)<br/>
[AppInit DLLs and Secure Boot](/windows/win32/dlls/secure-boot-and-appinit-dlls)