Changes between Version 34 and Version 35 of BuildingTapWindows6


Ignore:
Timestamp:
04/05/19 08:17:02 (3 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BuildingTapWindows6

    v34 v35  
    1616Cross-signing is possible for Windows 7/8/8.1/Server 2012r2 as long as the certification authority's cross-certificate is valid. Beyond that point an actual Microsoft signature is required in all drivers. Windows 10 already requires these Microsoft signatures - they're called [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release attestation signatures] in MS jargon. These signatures can be created in [https://developer.microsoft.com/en-us/windows Windows Dev Center] once you've cleared all the bureaucratic obstacles like signing in to development programs and registering your EV hardware token with your account.
    1717
    18 = Building for Windows Vista =
    19 
    20 **NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here].
    21 
    22 = Building and signing for Windows 7/8/8.1/Server 2012r2 =
    23 
    24 Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate.
    25 
    26 The prequisites for cross-signing:
     18Here are the general prequisites for building and signing, regardless of signature type:
    2719
    2820* On build computer
    2921 * [https://github.com/OpenVPN/tap-windows6 tap-windows6] source directory is up-to-date
    3022 * [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/using-the-enterprise-wdk Enterprise Windows Drive Kit] ISO image is installed and mounted as a system drive
    31  * tap-windows6 build system is configured properly (mostly file paths)
     23 * tap-windows6 build system is configured properly (file paths etc.)
    3224 * A user- or kernel mode authenticode certificate is present for signing the tap-windows6 ''installer''
    3325* On signing computer
     
    3931 * You are able to transfer files (e.g. via SSH) from and to the build and signing computers
    4032
    41 It is also assumed that all Windows commands are executed from within a Powershell session.
    42 The signing process is as follows
     33In the documentation below it is assumed that all Windows commands are executed from within a Powershell session.
     34
     35= Building for Windows Vista =
     36
     37**NOTE:** It is generally a bad idea to support Windows Vista. But if you must, please look [wiki:SigningForWindowsVista here].
     38
     39= Building and signing for Windows 7/8/8.1/Server 2012r2 =
     40
     41Any relatively recent Windows 7 installation supports SHA2 Authenticode signatures. This means that the laborious and fragile [wiki:SigningForWindowsVista dual-signature process] can be avoided. You only need the EV SHA2 kernel-mode code-signing certificate, which probably comes in the form of a dongle that integrates with Windows certificate store. The tap-windows6 ''installer'' may optionally signed with a different, non-EV SHA2 code-signing certificate.
     42
     43The building and signing process is as follows
    4344
    4445'''On build computer'''
     
    7071
    7172'''On build computer'''
     73
     74= Building and signing for Windows 10 =
     75
     76On top of the generic requirements listed above you will have to register you EV dongle with your organization's account in the Windows Dev Center ([https://developer.microsoft.com/en-us/dashboard/account/managecertificates link]).
     77
     78The building and signing process is as follows
     79
     80'''On build computer'''
     81
     82{{{
     83$ cd tap-windows6
     84$ python buildtap.py -c -b
     85}}}
     86
     87'''On workstation'''
     88
     89Copy the tap6.tar.gz from the build computer to the signing computer.
     90
     91'''On signing computer'''
     92
     93{{{
     94$ cd sign-tap6
     95$ tar -zxf tap6.tar.gz
     96}}}
     97
     98Now generate a catalog file as described [here https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release], sign it with signtool.exe using the EV dongle and submit via Windows Dev Center for attestation signing.
    7299
    73100= Useful commands =