Changes between Initial Version and Version 1 of SigningForWindowsVista


Ignore:
Timestamp:
04/05/19 07:33:28 (5 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SigningForWindowsVista

    v1 v1  
     1If your tap-windows6 driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures:
     2
     31. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature.
     41. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on early versions of Windows 10 for kernel drivers. Later versions require an [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release attestation signature].
     5
     6There are also further requirements due to the two signatures:
     7
     8* Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My'' or as a PFX file. The primary signature will be created by tap-windows6 build system.
     9* Code-signing computer should have Windows Kit 10 installed: this kit includes a version of ''Signtool.exe'' which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under ''Currentuser\My''.
     10
     11The actual build/signing procedure in this case is rather convoluted.
     12
     13'''On build computer'''
     14
     15Copy your kernel-mode SHA1 code-signing certificate and the intermediate cross-signing certificate to the ''tap-windows6'' directory.
     16
     17Run ''buildtap.py'' to build and to sign with SHA1
     18
     19{{{
     20$ python buildtap.py -b --sign <certificate-options>
     21}}}
     22
     23'''NOTE:''' using the "-c" switch will wipe out any pre-built tapinstall.exe's in the ''tapinstall'' directory, so be careful with it.
     24
     25Copy the following files to the ''code-signing computer'':
     26
     27* tap6.tar.gz
     28* 32-bit tapinstall.exe (renamed to tapinstall32.exe)
     29* 64-bit tapinstall.exe (renamed to tapinstall64.exe)
     30
     31'''On code-signing computer'''
     32
     33Clone the [https://github.com/mattock/sign-tap6/ Sign-Tap6] repository. Ensure your SHA2 EV code-signing certificate is visible in the Windows certificate store, and copy the matching cross-certificate to the sign-tap6 directory. All commands except the actual signing should be done from Git Bash or similar.
     34
     35Copy ''tap6.tar.gz'' to the ''sign-tap6'' directory and extract it:
     36
     37{{{
     38$ tar -zxf tap6.tar.gz
     39}}}
     40
     41Copy tapinstall.exe's to the ''tap6'' directory:
     42
     43{{{
     44$ cp tapinstall32.exe tap6/i386/tapinstall.exe
     45$ cp tapinstall64.exe tap6/amd64/tapinstall.exe
     46}}}
     47
     48Next append secondary signatures with ''Sign-Tap6.ps1'' in an ''administrator Powershell session''. For example:
     49
     50{{{
     51$ Sign-Tap6.ps1 -SourceDir tap6 -Append
     52}}}
     53
     54Now wrap the dual-signed files into a tarball (e.g. using Git Bash):
     55
     56{{{
     57$ tar -zcf tap6-dual-signed.tar.gz tap6
     58}}}
     59
     60Copy the dual-signed tarball back to the ''build computer''.
     61
     62'''On build computer'''
     63
     64Extract contents of ''tap6-dual-signed.tar.gz'' to the ''tap-windows6'' directory:
     65
     66{{{
     67$ rm -rf dist tap6
     68$ tar -zxf tap6-dual-signed.tar.gz
     69$ mv tap6 dist
     70}}}
     71
     72Next you will need to run ''buildtap.py'' using the same parameters as before, except that you must not ''clean'' (-c) or ''build'' (-b).  You should only ''package'' (-p) the dist directory into an installer. If you have a user-mode ''SHA2'' certificate available on the ''build computer'', then it is easiest to sign with that, e.g.
     73
     74{{{
     75$ python buildtap.py -p --sign --certfile=<my-sha2-certificate> --certpw=<password> --crosscert=<my-cross-cert> --timestamp=http://timestamp.digicert.com --ti=tapinstall
     76}}}
     77
     78Alternatively copy the installer produced by ''buildtap.py'' to the ''code-signing computer'' for the additional signature, as described below.
     79
     80'''On code-signing computer'''
     81
     82Append a signature to the tap-windows-<versio>-<buildnum>.exe using ''Sign-Tap6.ps1''. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1].
     83
     84If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work.