Changes between Version 32 and Version 33 of BuildingTapWindows6
- Timestamp:
- 04/05/19 07:52:56 (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
BuildingTapWindows6
v32 v33 12 12 1. The signature needs to be timestamped, or the driver will stop functioning when the code-signing certificate expires. 13 13 14 It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the acceptability of the signature , or if the only important thing is the hash algorithm of the actual certificate. When the cross-certificates expires (in 5-15 years), an actual Microsoft signature is required in all drivers. This means that all drivers need to be submitted to Microsoft for signing (see links below for more information).14 It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the acceptability of the signature in Windows 7 and beyond, or if the only important thing is the hash algorithm of the actual certificate. 15 15 16 The build computer should have WinDDK 7600.* installed, because currently buildtap.py does not work on anything newer.16 Cross-signing is possible for Windows 7/8/8.1/Server 2012r2 as long as the certification authority's cross-certificate is valid. Beyond that point an actual Microsoft signature is required in all drivers. Windows 10 already requires these Microsoft signatures - they're called [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release attestation signatures] in MS jargon. These signatures can be created in [https://developer.microsoft.com/en-us/windows Windows Dev Center] once you've cleared all the bureaucratic obstacles like signing in to development programs and registering your EV hardware token with your account. 17 17 18 18 = Building with support for Windows Vista = 19 19 20 If the driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures: 20 **NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here]. 21 21 22 1. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature. 23 1. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on Windows 10 for kernel drivers. 22 = Building and signing for Windows 7/8/8.1/Server 2012r2 = 24 23 25 There are also further requirements due to the two signatures: 24 Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate. 26 25 27 * Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My'' or as a PFX file. The primary signature will be created by tap-windows6 build system. 28 * Code-signing computer should have Windows Kit 10 installed: this kit includes a version of ''Signtool.exe'' which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under ''Currentuser\My''. 26 The prequisites for cross-signing: 29 27 30 The actual build/signing procedure in this case is rather convoluted. 28 * On build computer 29 * [https://github.com/OpenVPN/tap-windows6 tap-windows6] source directory is up-to-date 30 * [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/using-the-enterprise-wdk Enterprise Windows Drive Kit] ISO image is installed and mounted as a system drive 31 * tap-windows6 build system is configured properly (mostly file paths) 32 * A user- or kernel mode authenticode certificate is present for signing the tap-windows6 ''installer'' 33 * On signing computer 34 * An EV token is visible in the Windows Certificate Store 35 * [https://github.com/mattock/sign-tap6 Sign-Tap6] source directory is up-to-date 36 * A correct cross-certificate from your CA is installed into the sign-tap6 directory 37 * Sign-Tap6 is configured properly 38 * Your workstation 39 * You are able to transfer files (e.g. via SSH) from and to the build and signing computers 40 41 It is also assumed that all Windows commands are executed from within a Powershell session. 42 The signing process is as follows 31 43 32 44 '''On build computer''' 33 45 34 Copy your kernel-mode SHA1 code-signing certificate and the intermediate cross-signing certificate to the ''tap-windows6'' directory. 46 {{{ 47 $ cd tap-windows6 48 $ python buildtap.py -c -b 49 }}} 35 50 36 Run ''buildtap.py'' to build and to sign with SHA1 51 '''On workstation''' 52 53 Copy the tap6.tar.gz from the build computer to the signing computer. 54 55 '''On signing computer''' 37 56 38 57 {{{ 39 $ python buildtap.py -b --sign <certificate-options> 58 $ cd sign-tap6 59 $ tar -zxf tap6.tar.gz 60 $ Sign-Tap6.ps1 -SourceDir tap6 -Force 61 $ Move-Item tap6 tap6-signed 62 $ tar -zcf tap6-signed.tar.gz tap6-signed 40 63 }}} 41 64 42 '''NOTE:''' using the "-c" switch will wipe out any pre-built tapinstall.exe's in the ''tapinstall'' directory, so be careful with it. 65 The EV dongle will probably prompt you twice per architecture (x86, x64, arm64) as it signs the catalog file and tapinstall.exe for each. Note that the -Force switch ''is required'' or the file hashes in the .cat files will be incorrect and the driver will not install. 43 66 44 Copy the following files to the ''code-signing computer'': 67 '''On workstation''' 45 68 46 * tap6.tar.gz 47 * 32-bit tapinstall.exe (renamed to tapinstall32.exe) 48 * 64-bit tapinstall.exe (renamed to tapinstall64.exe) 49 50 '''On code-signing computer''' 51 52 Clone the [https://github.com/mattock/sign-tap6/ Sign-Tap6] repository. Ensure your SHA2 EV code-signing certificate is visible in the Windows certificate store, and copy the matching cross-certificate to the sign-tap6 directory. All commands except the actual signing should be done from Git Bash or similar. 53 54 Copy ''tap6.tar.gz'' to the ''sign-tap6'' directory and extract it: 55 56 {{{ 57 $ tar -zxf tap6.tar.gz 58 }}} 59 60 Copy tapinstall.exe's to the ''tap6'' directory: 61 62 {{{ 63 $ cp tapinstall32.exe tap6/i386/tapinstall.exe 64 $ cp tapinstall64.exe tap6/amd64/tapinstall.exe 65 }}} 66 67 Next append secondary signatures with ''Sign-Tap6.ps1'' in an ''administrator Powershell session''. For example: 68 69 {{{ 70 $ Sign-Tap6.ps1 -SourceDir tap6 -Append 71 }}} 72 73 Now wrap the dual-signed files into a tarball (e.g. using Git Bash): 74 75 {{{ 76 $ tar -zcf tap6-dual-signed.tar.gz tap6 77 }}} 78 79 Copy the dual-signed tarball back to the ''build computer''. 69 Copy tap6-signed.tar.gz from signing computer to the build computer for packaging. 80 70 81 71 '''On build computer''' 82 83 Extract contents of ''tap6-dual-signed.tar.gz'' to the ''tap-windows6'' directory:84 85 {{{86 $ rm -rf dist tap687 $ tar -zxf tap6-dual-signed.tar.gz88 $ mv tap6 dist89 }}}90 91 Next you will need to run ''buildtap.py'' using the same parameters as before, except that you must not ''clean'' (-c) or ''build'' (-b). You should only ''package'' (-p) the dist directory into an installer. If you have a user-mode ''SHA2'' certificate available on the ''build computer'', then it is easiest to sign with that, e.g.92 93 {{{94 $ python buildtap.py -p --sign --certfile=<my-sha2-certificate> --certpw=<password> --crosscert=<my-cross-cert> --timestamp=http://timestamp.digicert.com --ti=tapinstall95 }}}96 97 Alternatively copy the installer produced by ''buildtap.py'' to the ''code-signing computer'' for the additional signature, as described below.98 99 '''On code-signing computer'''100 101 Append a signature to the tap-windows-<versio>-<buildnum>.exe using ''Sign-Tap6.ps1''. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1].102 103 If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work.104 105 = Building for Windows 7 and later =106 107 Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile dual-signature process can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate.108 109 The build process is somewhat easier than with dual signatures. There are only a couple small differences:110 111 * buildtap.py should not use the --sign switch or any of its parameters112 * The -Append switch must not be used in Sign-Tap6113 * '''The -Force switch must be used in Sign-Tap6:''' without it the file hashes in the .cat files will be incorrect and driver will not install.114 * An older version of signtool.exe can be used on the code-signing computer as appending of signatures is not necessary115 72 116 73 = Useful commands = … … 205 162 '''General information''' 206 163 * [http://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ Questions and Answers: Windows 10 Driver Signing] 164 * [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release Attestation signing a kernel driver for public release] 207 165 * [http://www.davidegrayson.com/signing/ Practical Windows Code and Driver Signing] 208 166 * [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode Digital Signatures]