18 | | = Building for Windows Vista = |
19 | | |
20 | | **NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here]. |
21 | | |
22 | | = Building and signing for Windows 7/8/8.1/Server 2012r2 = |
23 | | |
24 | | Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate. |
25 | | |
26 | | The prequisites for cross-signing: |
| 18 | Here are the general prequisites for building and signing, regardless of signature type: |
41 | | It is also assumed that all Windows commands are executed from within a Powershell session. |
42 | | The signing process is as follows |
| 33 | In the documentation below it is assumed that all Windows commands are executed from within a Powershell session. |
| 34 | |
| 35 | = Building for Windows Vista = |
| 36 | |
| 37 | **NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here]. |
| 38 | |
| 39 | = Building and signing for Windows 7/8/8.1/Server 2012r2 = |
| 40 | |
| 41 | Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate. |
| 42 | |
| 43 | The building and signing process is as follows |
| 73 | |
| 74 | = Building and signing for Windows 10 = |
| 75 | |
| 76 | On top of the generic requirements listed above you will have to register you EV dongle with your organization's account in the Windows Dev Center ([https://developer.microsoft.com/en-us/dashboard/account/managecertificates link]). |
| 77 | |
| 78 | The building and signing process is as follows |
| 79 | |
| 80 | '''On build computer''' |
| 81 | |
| 82 | {{{ |
| 83 | $ cd tap-windows6 |
| 84 | $ python buildtap.py -c -b |
| 85 | }}} |
| 86 | |
| 87 | '''On workstation''' |
| 88 | |
| 89 | Copy the tap6.tar.gz from the build computer to the signing computer. |
| 90 | |
| 91 | '''On signing computer''' |
| 92 | |
| 93 | {{{ |
| 94 | $ cd sign-tap6 |
| 95 | $ tar -zxf tap6.tar.gz |
| 96 | }}} |
| 97 | |
| 98 | Now generate a catalog file as described [here https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release], sign it with signtool.exe using the EV dongle and submit via Windows Dev Center for attestation signing. |