Changes between Version 75 and Version 76 of BuildingOnWindows


Ignore:
Timestamp:
03/17/11 16:59:37 (13 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • BuildingOnWindows

    v75 v76  
    184184 * [http://msdn.microsoft.com/en-us/library/ms235591%28v=vs.80%29.aspx Embed manifest files manually] to ''openvpn.exe'', ''openvpnserv.exe'', ''lzo2.dll'' and ''libpkcs11-helper-1.dll''. The purpose of the manifest file (whether embedded or not) is to declare the run-time dependencies of the EXE/DLL. This step is required because the NSI script is not configured to install external manifest files and a manifest file is needed for proper operation.
    185185
    186 All of this has been automated in OpenVPN 2.2-RC2 and later. In case you want to test new TAP-driver versions on Windows Vista/7 64-bit you need to self-sign them and jump through several hoops. For details, look at ''TAP-driver signing'' section.
     186All of this has been automated in OpenVPN 2.2-RC2 and later. In case you want to test new TAP-driver versions on Windows Vista/7 64-bit you need to self-sign them and jump through several hoops. For details, look below.
    187187
    188188OpenVPN installer is driven by the ''<openvpn-sources>\win\openvpn.nsi'' NSI script, which has to be loaded with the [http://nsis.sourceforge.net/Main_Page MakeNSIS] application to generate an installer. If the ''<openvpn-sources>\dist'' directory has been properly set up, you should not encounter any errors. However, if ''MakeNSIS'' complains about missing files, make sure the ''<openvpn-sources>\dist'' directory contains all of the packaging dependencies:
     
    219219If you wish to use Windows for OpenVPN development integrating Git with Visual Studio (2008) may make sense.
    220220
    221 = TAP-driver signing =
    222 
    223 The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately it ''is'' possible to self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers. Several steps are required to make self-signed certificates work, all of which are described here briefly. However, to truly understand what's happening, read these two documents:
     221= Using unverified TAP-drivers on 64-bit Windows =
     222
     223The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately there are two ways to work around this:
     224
     225 * Self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers.
     226 * Switch on ''Test mode'' during boot. This allows loading ''unsigned'' drivers.
     227
     228To get a good idea how this all works, read these two documents:
    224229
    225230 * [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 Digital Signatures for Kernel Modules on Windows]
    226231 * [http://msdn.microsoft.com/en-us/library/ff546236%28v=vs.85%29.aspx How to Test-Sign a Driver Package]
    227232
    228 == Creating a test certificate on build computer ==
     233== Method 1: self-signing the TAP-drivers ==
     234
     235=== Creating a test certificate on build computer ===
    229236
    230237Creating a test certificate (and it's keystore) is easy if Visual Studio is is installed. Open the Visual Studio command-line and issue
     
    236243For details on the syntax see [http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx Makecert.exe reference]; for higher-level details look [http://msdn.microsoft.com/en-us/windows/hardware/gg487332 here].
    237244
    238 == Installing the test certificate to build and target computers ==
     245=== Installing the test certificate to build and target computers ===
    239246
    240247Both build and target computers need to have the test certificate in their keystores. The ''build computer'' needs it for signing the driver catalog with ''signtool.exe''. The ''target computer'', on the other hand, needs to have the certificate installed or it won't trust the driver and won't allow loading it to the kernel.
     
    249256You can also launch ''certmgr.exe'' without parameters and use the certificate import wizard. Although usage of ''certmgr.exe'' is straightforward, it is included (only?) in the massive [http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71deb800-c591-4f97-a900-bea146e4fae1&displaylang=en Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1] package, which you need to install.
    250257
    251 == Creating and signing the catalog file ==
     258=== Creating and signing the catalog file ===
    252259
    253260In order to sign the TAP-driver, you need to do three things:
     
    289296If you want, repeat this process for 32-bit version of the TAP-driver starting from ''<openvpn-sources>/dist/i386''.
    290297
    291 == Enabling test mode on target computer ==
     298== Appoach 2: Enabling test mode on target computer ==
    292299
    293300Test mode ''boot setting'' allows loading test-signed drivers to the Windows kernel. It can be enabled with ''bcdedit.exe'':