Context Navigation

Changes between Version 32 and Version 33 of BuildingTapWindows6

Timestamp:: 04/05/19 07:52:56 (5 years ago)
Author:: Samuli Seppänen
Comment:: Update tap-windows6 cross-signing documentation

Legend:

: Unmodified
: Added
: Removed
: Modified

BuildingTapWindows6

-                      v32
+                      v33
 . The signature needs to be timestamped, or the driver will stop functioning when the code-signing certificate expires.
 It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the acceptability of the signature, or if the only important thing is the hash algorithm of the actual certificate. When the cross-certificates expires (in 5-15 years), an actual Microsoft signature is required in all drivers. This means that all drivers need to be submitted to Microsoft for signing (see links below for more information).
+It is not clear if signtool's digest algorithm (/fd SHA|SHA256) affects the acceptability of the signature in Windows 7 and beyond, or if the only important thing is the hash algorithm of the actual certificate.
 The build computer should have WinDDK 7600.* installed, because currently buildtap.py does not work on anything newer.
+Cross-signing is possible for Windows 7/8/8.1/Server 2012r2 as long as the certification authority's cross-certificate is valid. Beyond that point an actual Microsoft signature is required in all drivers. Windows 10 already requires these Microsoft signatures - they're called [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release attestation signatures] in MS jargon. These signatures can be created in [https://developer.microsoft.com/en-us/windows Windows Dev Center] once you've cleared all the bureaucratic obstacles like signing in to development programs and registering your EV hardware token with your account.
 = Building with support for Windows Vista =
+If the driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures:
+**NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here].
+. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature.
+. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on Windows 10 for kernel drivers.
+= Building and signing for Windows 7/8/8.1/Server 2012r2 =
+There are also further requirements due to the two signatures:
+Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate.
+* Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My'' or as a PFX file. The primary signature will be created by tap-windows6 build system.
+* Code-signing computer should have Windows Kit 10 installed: this kit includes a version of ''Signtool.exe'' which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under ''Currentuser\My''.
+The prequisites for cross-signing:
+The actual build/signing procedure in this case is rather convoluted.
+* On build computer
+ * [https://github.com/OpenVPN/tap-windows6 tap-windows6] source directory is up-to-date
+ * [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/using-the-enterprise-wdk Enterprise Windows Drive Kit] ISO image is installed and mounted as a system drive
+ * tap-windows6 build system is configured properly (mostly file paths)
+ * A user- or kernel mode authenticode certificate is present for signing the tap-windows6 ''installer''
+* On signing computer
+ * An EV token is visible in the Windows Certificate Store
+ * [https://github.com/mattock/sign-tap6 Sign-Tap6] source directory is up-to-date
+ * A correct cross-certificate from your CA is installed into the sign-tap6 directory
+ * Sign-Tap6 is configured properly
+* Your workstation
+ * You are able to transfer files (e.g. via SSH) from and to the build and signing computers
+It is also assumed that all Windows commands are executed from within a Powershell session.
+The signing process is as follows
 '''On build computer'''
+Copy your kernel-mode SHA1 code-signing certificate and the intermediate cross-signing certificate to the ''tap-windows6'' directory.
+{{{
+$ cd tap-windows6
+$ python buildtap.py -c -b
+}}}
+Run ''buildtap.py'' to build and to sign with SHA1
+'''On workstation'''
+Copy the tap6.tar.gz from the build computer to the signing computer.
+'''On signing computer'''
 {{{
+$ python buildtap.py -b --sign <certificate-options>
+$ cd sign-tap6
+$ tar -zxf tap6.tar.gz
+$ Sign-Tap6.ps1 -SourceDir tap6 -Force
+$ Move-Item tap6 tap6-signed
+$ tar -zcf tap6-signed.tar.gz tap6-signed
 }}}
+'''NOTE:''' using the "-c" switch will wipe out any pre-built tapinstall.exe's in the ''tapinstall'' directory, so be careful with it.
+The EV dongle will probably prompt you twice per architecture (x86, x64, arm64) as it signs the catalog file and tapinstall.exe for each. Note that the -Force switch ''is required'' or the file hashes in the .cat files will be incorrect and the driver will not install.
+Copy the following files to the ''code-signing computer'':
+'''On workstation'''
+* tap6.tar.gz
+* 32-bit tapinstall.exe (renamed to tapinstall32.exe)
+* 64-bit tapinstall.exe (renamed to tapinstall64.exe)
+'''On code-signing computer'''
+Clone the [https://github.com/mattock/sign-tap6/ Sign-Tap6] repository. Ensure your SHA2 EV code-signing certificate is visible in the Windows certificate store, and copy the matching cross-certificate to the sign-tap6 directory. All commands except the actual signing should be done from Git Bash or similar.
+Copy ''tap6.tar.gz'' to the ''sign-tap6'' directory and extract it:
+{{{
+$ tar -zxf tap6.tar.gz
+}}}
+Copy tapinstall.exe's to the ''tap6'' directory:
+{{{
+$ cp tapinstall32.exe tap6/i386/tapinstall.exe
+$ cp tapinstall64.exe tap6/amd64/tapinstall.exe
+}}}
+Next append secondary signatures with ''Sign-Tap6.ps1'' in an ''administrator Powershell session''. For example:
+{{{
+$ Sign-Tap6.ps1 -SourceDir tap6 -Append
+}}}
+Now wrap the dual-signed files into a tarball (e.g. using Git Bash):
+{{{
+$ tar -zcf tap6-dual-signed.tar.gz tap6
+}}}
+Copy the dual-signed tarball back to the ''build computer''.
+Copy tap6-signed.tar.gz from signing computer to the build computer for packaging.
 '''On build computer'''
-Extract contents of ''tap6-dual-signed.tar.gz'' to the ''tap-windows6'' directory:
-{{{
-$ rm -rf dist tap6
-$ tar -zxf tap6-dual-signed.tar.gz
-$ mv tap6 dist
-}}}
-Next you will need to run ''buildtap.py'' using the same parameters as before, except that you must not ''clean'' (-c) or ''build'' (-b).  You should only ''package'' (-p) the dist directory into an installer. If you have a user-mode ''SHA2'' certificate available on the ''build computer'', then it is easiest to sign with that, e.g.
-{{{
-$ python buildtap.py -p --sign --certfile=<my-sha2-certificate> --certpw=<password> --crosscert=<my-cross-cert> --timestamp=http://timestamp.digicert.com --ti=tapinstall
-}}}
-Alternatively copy the installer produced by ''buildtap.py'' to the ''code-signing computer'' for the additional signature, as described below.
-'''On code-signing computer'''
-Append a signature to the tap-windows-<versio>-<buildnum>.exe using ''Sign-Tap6.ps1''. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1].
-If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work.
-= Building for Windows 7 and later =
-Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile dual-signature process can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate.
-The build process is somewhat easier than with dual signatures. There are only a couple small differences:
-* buildtap.py should not use the --sign switch or any of its parameters
-* The -Append switch must not be used in Sign-Tap6
-* '''The -Force switch must be used in Sign-Tap6:''' without it the file hashes in the .cat files will be incorrect and driver will not install.
-* An older version of signtool.exe can be used on the code-signing computer as appending of signatures is not necessary
 = Useful commands =
 …
 '''General information'''
  * [http://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ Questions and Answers: Windows 10 Driver Signing]
+ * [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release Attestation signing a kernel driver for public release]
  * [http://www.davidegrayson.com/signing/ Practical Windows Code and Driver Signing]
  * [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode Digital Signatures]