Changes between Version 12 and Version 13 of BuildingTapWindows6

Timestamp:

04/22/16 15:05:53 (8 years ago)

Author:

Samuli Seppänen

Comment:

--

BuildingTapWindows6

@@ -95 +95 @@
 Examples:
 {{{
-signtool.exe sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /f kernel-mode.pfx /p <pfx-password> tap6/amd64/tap0901.cat
-signtool.exe sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /s My -n <subjectname> tap6/amd64/tap0901.cat
+signtool.exe sign /v /s My /n OpenVPN /ac digicert-assured-id-ca-root.crt /t http://timestamp.digicert.com /fd SHA1 tap6/amd64/tap0901.cat
+signtool.exe sign /v /f digicert-sha1-codesigning.pfx /p <pfx-password> /ac digicert-assured-id-ca-root.crt /as /t http://timestamp.digicert.com /fd SHA1 tap6/amd64/tap0901.cat
+}}}
+Example of adding two signatures and timestamps (required signtool.exe from Windows Kit 10):
+{{{
+# Create primary (SHA1) signature (certificate in a pfx file)
+signtool.exe sign /v /f digicert-sha1-codesigning.pfx /p <pfx-password> /ac digicert-assured-id-ca-root.crt /fd SHA1 tap6/amd64/tap0901.cat
+signtool.exe timestamp /tr http://timestamp.digicert.com /td SHA1 /tp 1 tap6/amd64/tap0901.cat
+
+# Add secondary (SHA2) signature (certificate in the certificate store)
+signtool.exe sign /v /s My /n OpenVPN /ac digicert-extended-validation-ca-root.crt /as /fd SHA256 tap6/amd64/tap0901.cat
+signtool.exe timestamp /tr http://timestamp.digicert.com /td SHA256 /tp 1 tap6/amd64/tap0901.cat
 }}}
 
@@ -112 +122 @@
 signtool.exe verify /v /kp /c <drivername>.cat <drivername>.sys
 }}}
+
+Signatures can also be validated by looking at "File properties" of the ''tap0901.cat'' file. The publisher should show up correctly in some places (not necessarily all), there should be a timestamp counter-certificate, and an unbroken certification path should be present.
 
 == External links ==