| 1 | If your tap-windows6 driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures: |
| 2 | |
| 3 | 1. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature. |
| 4 | 1. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on early versions of Windows 10 for kernel drivers. Later versions require an [https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release attestation signature]. |
| 5 | |
| 6 | There are also further requirements due to the two signatures: |
| 7 | |
| 8 | * Build computer should have a SHA1 code-signing certificate in the certificate store under ''Currentuser\My'' or as a PFX file. The primary signature will be created by tap-windows6 build system. |
| 9 | * Code-signing computer should have Windows Kit 10 installed: this kit includes a version of ''Signtool.exe'' which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under ''Currentuser\My''. |
| 10 | |
| 11 | The actual build/signing procedure in this case is rather convoluted. |
| 12 | |
| 13 | '''On build computer''' |
| 14 | |
| 15 | Copy your kernel-mode SHA1 code-signing certificate and the intermediate cross-signing certificate to the ''tap-windows6'' directory. |
| 16 | |
| 17 | Run ''buildtap.py'' to build and to sign with SHA1 |
| 18 | |
| 19 | {{{ |
| 20 | $ python buildtap.py -b --sign <certificate-options> |
| 21 | }}} |
| 22 | |
| 23 | '''NOTE:''' using the "-c" switch will wipe out any pre-built tapinstall.exe's in the ''tapinstall'' directory, so be careful with it. |
| 24 | |
| 25 | Copy the following files to the ''code-signing computer'': |
| 26 | |
| 27 | * tap6.tar.gz |
| 28 | * 32-bit tapinstall.exe (renamed to tapinstall32.exe) |
| 29 | * 64-bit tapinstall.exe (renamed to tapinstall64.exe) |
| 30 | |
| 31 | '''On code-signing computer''' |
| 32 | |
| 33 | Clone the [https://github.com/mattock/sign-tap6/ Sign-Tap6] repository. Ensure your SHA2 EV code-signing certificate is visible in the Windows certificate store, and copy the matching cross-certificate to the sign-tap6 directory. All commands except the actual signing should be done from Git Bash or similar. |
| 34 | |
| 35 | Copy ''tap6.tar.gz'' to the ''sign-tap6'' directory and extract it: |
| 36 | |
| 37 | {{{ |
| 38 | $ tar -zxf tap6.tar.gz |
| 39 | }}} |
| 40 | |
| 41 | Copy tapinstall.exe's to the ''tap6'' directory: |
| 42 | |
| 43 | {{{ |
| 44 | $ cp tapinstall32.exe tap6/i386/tapinstall.exe |
| 45 | $ cp tapinstall64.exe tap6/amd64/tapinstall.exe |
| 46 | }}} |
| 47 | |
| 48 | Next append secondary signatures with ''Sign-Tap6.ps1'' in an ''administrator Powershell session''. For example: |
| 49 | |
| 50 | {{{ |
| 51 | $ Sign-Tap6.ps1 -SourceDir tap6 -Append |
| 52 | }}} |
| 53 | |
| 54 | Now wrap the dual-signed files into a tarball (e.g. using Git Bash): |
| 55 | |
| 56 | {{{ |
| 57 | $ tar -zcf tap6-dual-signed.tar.gz tap6 |
| 58 | }}} |
| 59 | |
| 60 | Copy the dual-signed tarball back to the ''build computer''. |
| 61 | |
| 62 | '''On build computer''' |
| 63 | |
| 64 | Extract contents of ''tap6-dual-signed.tar.gz'' to the ''tap-windows6'' directory: |
| 65 | |
| 66 | {{{ |
| 67 | $ rm -rf dist tap6 |
| 68 | $ tar -zxf tap6-dual-signed.tar.gz |
| 69 | $ mv tap6 dist |
| 70 | }}} |
| 71 | |
| 72 | Next you will need to run ''buildtap.py'' using the same parameters as before, except that you must not ''clean'' (-c) or ''build'' (-b). You should only ''package'' (-p) the dist directory into an installer. If you have a user-mode ''SHA2'' certificate available on the ''build computer'', then it is easiest to sign with that, e.g. |
| 73 | |
| 74 | {{{ |
| 75 | $ python buildtap.py -p --sign --certfile=<my-sha2-certificate> --certpw=<password> --crosscert=<my-cross-cert> --timestamp=http://timestamp.digicert.com --ti=tapinstall |
| 76 | }}} |
| 77 | |
| 78 | Alternatively copy the installer produced by ''buildtap.py'' to the ''code-signing computer'' for the additional signature, as described below. |
| 79 | |
| 80 | '''On code-signing computer''' |
| 81 | |
| 82 | Append a signature to the tap-windows-<versio>-<buildnum>.exe using ''Sign-Tap6.ps1''. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1]. |
| 83 | |
| 84 | If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work. |