Changes between Version 40 and Version 41 of BuildingTapWindows6


Ignore:
Timestamp:
04/16/19 12:57:41 (3 years ago)
Author:
Samuli Seppänen
Comment:

Update tap-windows6 cross-signing documentation

Legend:

Unmodified
Added
Removed
Modified
  • BuildingTapWindows6

    v40 v41  
    2222 * [https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/using-the-enterprise-wdk Enterprise Windows Drive Kit] ISO image is installed and mounted as a system drive
    2323 * tap-windows6 build system is configured properly (file paths etc.)
    24  * Clone [https://github.com/Microsoft/Windows-driver-samples/ Windows-driver-samples] somewhere (e.g. inside tap-windows6 directory)
    25  * A user- or kernel mode authenticode certificate is present for signing the tap-windows6 ''installer''
     24 * Clone [https://github.com/Microsoft/Windows-driver-samples/ Windows-driver-samples] under the tap-windows6 directory
     25 * Clone [https://github.com/mattock/sign-tap6 sign-tap6] under the tap-windows6 directory
    2626* On signing computer
    2727 * An EV token is visible in the Windows Certificate Store
     
    3434In the documentation below it is assumed that all Windows commands are executed from within a Powershell session.
    3535
     36= Setting up the SMB share =
     37
     38If the building and signing computers are separate you are ''strongly encouraged'' to share the build directory on the build computer with the signing computer, e.g. using SMB); this removes the need for doing error-prone file copying, archive extraction, etc. In the instructions below it is assumed that this is the case.
     39
     40You can create new shares on the build computer in various ways. Here's an example on how to do it with Puppet using Powershell DSC resources:
     41
     42{{{
     43dsc_windowsfeature { 'File server':
     44  dsc_ensure => 'present',
     45  dsc_name   => 'FS-FileServer',
     46}
     47
     48dsc_xsmbshare { 'tap-windows6-build-directory':
     49  dsc_ensure                => 'present',
     50  dsc_name                  => 'tap6build',
     51  dsc_description           => 'tap-windows6 build directory',
     52  dsc_path                  => 'C:\\Users\\build\\opt\\tap-windows6',
     53  dsc_folderenumerationmode => 'AccessBased',
     54  dsc_fullaccess            => 'tapbuilder\build',
     55}
     56}}}
     57
     58This code can be mapped almost 1:1 to Powershell DSC. Alternatively you can use raw Powershell commands [https://ss64.com/ps/add-windowsfeature.html Add-Windowsfeature] and [https://docs.microsoft.com/en-us/powershell/module/smbshare/new-smbshare?view=win10-ps New-Smbshare] to do the same. Or just create the share via Windows GUI somehow. Remember to open port 445 in the firewall.
     59
     60Once the share is up, mount it on a Powershell session:
     61
     62{{{
     63$ net use W: \\tapbuilder.example.org\tap6build /user:build 'password-here'
     64}}}
     65
     66Note that this mount is session-specific, so you need to do it from the session you use to sign the files from.
     67
    3668= Building an unsigned driver and tapinstall.exe =
    3769
     
    4274{{{
    4375$ cd tap-windows6
    44 $ python buildtap.py -c -b --ti=Windows-driver-samples\setup\devcon
    45 }}}
    46 
    47 This generates tap6.tar.gz which you will need to to copy to the signing computer.
     76$ python.exe buildtap.py -c -b --ti=Windows-driver-samples\setup\devcon
     77}}}
    4878
    4979= Building for Windows Vista =
     
    5989Build an unsigned driver (see above)
    6090
    61 '''On workstation'''
    62 
    63 Copy the tap6.tar.gz from the build computer to the signing computer.
    64 
    6591'''On signing computer'''
    6692
    67 {{{
    68 $ cd sign-tap6
    69 $ tar -zxf tap6.tar.gz
    70 $ Sign-Tap6.ps1 -SourceDir tap6 -Force
    71 $ Move-Item tap6 tap6-signed
    72 $ tar -zcf tap6-signed.tar.gz tap6-signed
     93Sign the build files using the EV token:
     94
     95{{{
     96$ cd W:\tap-windows6\sign-tap6
     97$ .\Sign-Tap6.ps1 -SourceDir ..\dist -Force
    7398}}}
    7499
    75100The EV dongle will probably prompt you twice per architecture (x86, x64, arm64) as it signs the catalog file and tapinstall.exe for each. Note that the -Force switch ''is required'' or the file hashes in the .cat files will be incorrect and the driver will not install.
    76101
    77 '''On workstation'''
    78 
    79 Copy tap6-signed.tar.gz from signing computer to the build computer for packaging.
    80 
    81 '''On build computer'''
     102'''On build computer'''
     103
     104Package the signed files:
     105
     106{{{
     107$ cd tap-windows6
     108$ python.exe buildtap.py -p --ti=Windows-driver-samples\setup\devcon
     109}}}
     110
     111'''On signing computer'''
     112
     113Sign the installer:
     114
     115{{{
     116$ ...
     117}}}
    82118
    83119= Building and signing for Windows 10 =