Changes between Version 23 and Version 24 of BuildingTapWindows6


Ignore:
Timestamp:
04/19/18 08:58:37 (4 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BuildingTapWindows6

    v23 v24  
    77= Codesigning requirements =
    88
    9 Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. In practice tap-windows6 driver needs two signatures:
    10 
    11 1. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. This is required by Windows Vista, which does not seem to understand SHA2 signatures at all, and which can apparently only handle one signature. Very outdated Windows 7 installations may have similar issues.
    12 1. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on Windows 10 for kernel drivers.
    13 
    14 There are two additional requirements for both of these signatures:
     9Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. The Authenticode signatures have a few requirements:
    1510
    16111. The Certificate path needs to be complete. This can be achieved by including [https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx cross-certificate of your CA] (e.g. Digicert) in the signed files. At least for Digicert non-EV and EV code-signing certificates have different CAs.
    17121. The signature needs to be timestamped, or the driver will stop functioning when the code-signing certificate expires.
    1813
    19 It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the validity of the signature, or if the only important thing is the hash algorithm of the actual certificate. When the cross-certificates expires (in 5-15 years), an actual Microsoft signature is required in all drivers. This means that all drivers need to be submitted to Microsoft for signing (see links below for more information).
    20 
    21 Due to the above, the build environment for tap-windows6 needs to be setup just right:
    22 
    23 * Build computer should have WinDDK 7600.* installed, because currently buildtap.py does not work on anything newer. Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My''
     14It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the acceptability of the signature, or if the only important thing is the hash algorithm of the actual certificate. When the cross-certificates expires (in 5-15 years), an actual Microsoft signature is required in all drivers. This means that all drivers need to be submitted to Microsoft for signing (see links below for more information).
     15
     16The build computer should have WinDDK 7600.* installed, because currently buildtap.py does not work on anything newer.
     17
     18== Supporting Windows Vista ==
     19
     20If the driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures:
     21
     221. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature.
     231. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on Windows 10 for kernel drivers.
     24
     25There are also further requirements due to the two signatures:
     26
     27* Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My'' or as a PFX file. The primary signature will be created by tap-windows6 build system.
    2428* Code-signing computer should have Windows Kit 10 installed: this kit includes a version of ''Signtool.exe'' which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under ''Currentuser\My''.
    2529
    26 = Signing process =
    27 
    28 The actual build/signing procedure is rather convoluted.
     30The actual build/signing procedure in this case is rather convoluted.
    2931
    3032'''On build computer'''
     
    3537
    3638{{{
    37 $ python buildtap.py -b --sign <certificate-options>
     39$ python buildtap.py -b --sign <certificate-options>
    3840}}}
    3941
     
    7274
    7375{{{
    74 $ tar -zcf tap6-dual-signed.tar.gz tap6
     76$ tar -zcf tap6-dual-signed.tar.gz tap6
    7577}}}
    7678
     
    8284
    8385{{{
    84 $ rm -rf dist tap6
     86$ rm -rf dist tap6
    8587$ tar -zxf tap6-dual-signed.tar.gz
    8688$ mv tap6 dist
     
    100102
    101103If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work.
     104
     105= Supporting Windows 7 and later =
     106
     107'''TODO'''
    102108
    103109= Useful commands =