diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2023-06-30 13:12:44 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2023-06-30 13:48:13 +0200 |
| commit | de3d64ca85fcd3fa4251a4d4719c452da2a56987 (patch) | |
| tree | b453ce58b24fbf073c93872658d49d27e2d1e18c | |
| parent | f72851a80c90960822c5498b717fac738a92971b (diff) | |
Sign drivers on native Windows. Fixes #2.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | Makefile.inc | 4 | ||||
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | create_codesign_ca.bat | 47 | ||||
| -rw-r--r-- | sign-driver-on-windows.bat.in | 16 |
4 files changed, 78 insertions, 0 deletions
diff --git a/Makefile.inc b/Makefile.inc index 39e456d..802f23a 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -40,6 +40,7 @@ endif DDK_GLOBAL_DEPS := deps $(LOCAL_MINGW64_BUILD_SCRIPT) $(LOCAL_MINGW64_BUILD_DIR) $(LOCAL_MINGW64_CC) $(LOCAL_MINGW64_CXX) $(LOCAL_MINGW64_AR) $(LOCAL_MINGW64_RC) INSTALL = install +SED = sed CMAKE = cmake CC = $(LOCAL_MINGW64_CC) CXX = $(LOCAL_MINGW64_CXX) @@ -226,8 +227,11 @@ define INSTALL_EXEC_SIGN $(SIGNTOOL) sign -pkcs12 '$(DPP_ROOT)/$(SIGNTOOL_PREFIX)-code.p12' \ -in "$$target" \ -out "$(DESTDIR)/$$target"; \ + $(INSTALL) "$(DPP_ROOT)/sign-driver-on-windows.bat.in" "$(DESTDIR)/$$(basename $$target .sys)-sign-driver-on-windows.bat"; \ + $(SED) -i -e "s/{{\s*DRIVER_NAME\s*}}/$$target/g" "$(DESTDIR)/$$(basename $$target .sys)-sign-driver-on-windows.bat"; \ done $(INSTALL) "$(DPP_ROOT)/$(SIGNTOOL_PREFIX)-ca-cert.pem" '$(DESTDIR)/$(SIGNTOOL_PREFIX)-ca-cert.crt' + $(INSTALL) "$(DPP_ROOT)/create_codesign_ca.bat" '$(DESTDIR)/create-codesign-ca-on-windows.bat' endef define INSTALL_HEADERS @@ -178,6 +178,17 @@ $(USERSPACE_TARGET): $(USERSPACE_OBJECTS) [A simple and stupid project example.](https://github.com/utoni/mingw-w64-driver) +## Driver Signing + +Driver signing can be done in two ways. Using a native `osslsigncode` executable or sign it manually on your Windows platform. +The first one is always done by calling the macro `INSTALL_EXEC_SIGN` from your own Makefile. +The latter one has to be done manually on your target Windows machine by running: + +1. `create_codesign_ca.bat` in DESTDIR (Administrator permission required to import CA/CERTs to the Windows certificate storage +2. `*-sign-driver-on-windows.bat` e.g. `dpp-example-sign-driver-on-windows.bat` (no Administrator permissions required) + +*Note*: You still need to call the macro `INSTALL_EXEC_SIGN` from your own Makefile to create/install the batch files in DESTDIR. + ## Thanks goes to: - [Zeranoe](https://github.com/Zeranoe/mingw-w64-build) for the Mingw64 build script diff --git a/create_codesign_ca.bat b/create_codesign_ca.bat new file mode 100644 index 0000000..5de3873 --- /dev/null +++ b/create_codesign_ca.bat @@ -0,0 +1,47 @@ +@echo off + +set MYDIR=%~dp0 +set FILENAME_PREFIX=mingw-w64-dpp + +net session >nul 2>&1 +if NOT %ERRORLEVEL% EQU 0 ( + echo ERROR: This script requires Administrator privileges! + pause + exit /b 1 +) + +where makecert.exe >nul 2>&1 +IF %ERRORLEVEL% NEQ 0 ( + echo ERROR: makecert.exe not found, pleae add it to your PATH + pause + exit /b 1 +) + +where certmgr.exe >nul 2>&1 +IF %ERRORLEVEL% NEQ 0 ( + echo ERROR: certmgr.exe not found, pleae add it to your PATH + pause + exit /b 1 +) + +where cert2spc.exe >nul 2>&1 +IF %ERRORLEVEL% NEQ 0 ( + echo ERROR: cert2spc.exe not found, pleae add it to your PATH + pause + exit /b 1 +) + +where pvk2pfx.exe >nul 2>&1 +IF %ERRORLEVEL% NEQ 0 ( + echo ERROR: pvk2pfx.exe not found, pleae add it to your PATH + pause + exit /b 1 +) + +makecert.exe -b 01/01/2023 -r -n CN="%FILENAME_PREFIX%" -sv "%MYDIR%/%FILENAME_PREFIX%.pvk" "%MYDIR%/%FILENAME_PREFIX%.cer" +certmgr.exe -add "%MYDIR%/%FILENAME_PREFIX%.cer" -s -r localMachine ROOT +certmgr.exe -add "%MYDIR%/%FILENAME_PREFIX%.cer" -s -r localMachine TRUSTEDPUBLISHER +cert2spc.exe "%MYDIR%/%FILENAME_PREFIX%.cer" "%MYDIR%/%FILENAME_PREFIX%.spc" +pvk2pfx.exe -pvk "%MYDIR%/%FILENAME_PREFIX%.pvk" -spc "%MYDIR%/%FILENAME_PREFIX%.spc" -pfx "%MYDIR%/%FILENAME_PREFIX%.pfx" + +pause diff --git a/sign-driver-on-windows.bat.in b/sign-driver-on-windows.bat.in new file mode 100644 index 0000000..a6fe075 --- /dev/null +++ b/sign-driver-on-windows.bat.in @@ -0,0 +1,16 @@ +@echo off + +set MYDIR=%~dp0 +set FILENAME_PREFIX=mingw-w64-dpp +set DRIVER={{ DRIVER_NAME }} + +where signtool.exe >nul 2>&1 +IF %ERRORLEVEL% NEQ 0 ( + echo ERROR: signtool.exe not found, pleae add it to your PATH + pause + exit /b 1 +) + +signtool.exe sign /v /f "%MYDIR%/%FILENAME_PREFIX%.pfx" "%MYDIR%/%DRIVER%" + +pause |