258 | | === Creating and signing the catalog file === |
259 | | |
260 | | In order to sign the TAP-driver, you need to do three things: |
261 | | |
262 | | * Build OpenVPN and the TAP-driver |
263 | | * Create a catalog definition (.cdf) file with a text editor |
264 | | * Create a catalog file (.cat) from the .cdf with [http://msdn.microsoft.com/en-us/library/aa386967%28v=vs.85%29.aspx MakeCat.exe] |
265 | | * Sign the catalog file (.cat) with [http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx Signtool.exe] |
266 | | |
267 | | After building OpenVPN and TAP-drivers go to ''<openvpn-sources>/dist/amd64''. There you'll find ''tap0901.sys'' and ''OemWin2k.inf'' files. Create a catalog definition file (e.g. ''tap.cdf'') that look like this: |
| 258 | === Creating the catalog file using makecat === |
| 259 | |
| 260 | There are two ways to create the catalog file that contains hashes of the TAP-driver files. It is this ''catalog'' file that is signed and verified by Windows kernel. The first option is to create a catalog definition file (.cdf) with a text editor and generate the real catalog file from it using [http://msdn.microsoft.com/en-us/library/aa386967%28v=vs.85%29.aspx MakeCat.exe]. The problem with this approach is that ''makecat'' does not warn about errors in the .cdf file. This results in everything looking just fine, but failing when loading the driver into the kernel. |
| 261 | |
| 262 | Nevertheless, if you want to try this approach, go to ''<openvpn-sources>/dist/amd64'' after building There you'll find ''tap0901.sys'' and ''OemWin2k.inf'' files. Create a catalog definition file (e.g. ''tap.cdf'') with a text editor; it contents should be ''similar'' to the one below: |
| 282 | |
| 283 | === Creating the catalog file using inf2cat === |
| 284 | |
| 285 | [http://msdn.microsoft.com/en-us/library/ff547089%28v=vs.85%29.aspx Inf2Cat.exe] is a tool used to generate an unsigned catalog file from driver's INF file. It should be more easier to use than ''makecat'', as it can automatically generate a .cat file with correct syntax. This tool is included in the ''Windows Driver Kit'', which you have to install. Use it like this: |
| 286 | |
| 287 | {{{ |
| 288 | cd C:\WINDDK\\7600.16385.1\bin\selfsign |
| 289 | Inf2Cat.exe /driver:<openvpn-sources>\dist\i386 /os:XP_X86 |
| 290 | Inf2Cat.exe /driver:<openvpn-sources>\dist\amd64 /os:Vista_X64 |
| 291 | }}} |
| 292 | |
| 293 | Where <openvpn-sources> is something like ''C:\openvpn-build\openvpn-macbook''. |
| 294 | |
| 295 | === Signing the catalog file === |
| 296 | |
| 297 | * Sign the catalog file (.cat) with [http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx Signtool.exe] |