Use SHA-1 certificate from Certum to sign releases

Makes it possible to run on Windows 7 without KB3033929 installed.
desowin · May 11, 2017 · 0ce5e45 · 0ce5e45
1 parent 4746a70
commit 0ce5e45
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 52 deletions.
diff --git a/certificates/Certum Trusted Network CA.crt b/certificates/Certum Trusted Network CA.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFTTCCAzWgAwIBAgIKYTvHkQAAAAAANDANBgkqhkiG9w0BAQUFADB/MQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe
+MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv
+ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0xMTA0MTUyMDE1MzRaFw0yMTA0
+MTUyMDI1MzRaMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hu
+b2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+32jcrrC8MkUh/VrAU7hbkAHum0n
+XX/3Wy2zWsdRX6ukMqZhh7ZuD4bSMAKX+NdpV6EYOV1qZHnGAVmsPDFKOHzSBNJL
+KOggXzsHosxNc9vzrk/HVtVap5aJ+vOraNQjhlknzwknvKxucoMcMHLf4KLp0uF0
+dRm9Kp57FVQEG9dDOa1VKMXiGrv0wOSuOEkzzHaFnzlF0qSe8hKMUfh85C1/9axf
+6xafsS3RusyRQndMJcmQOG/b8Mz7jh6XWT7VYE7mBSjtSXkTS7pI2y/5ctM5yv4f
+2DRy9bRAzzEBw+zeES0XXR+4UNFeGadp3gczKMpQlfmnVMtUhlBFqflJAgMBAAGj
+gcswgcgwEQYDVR0gBAowCDAGBgRVHSAAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFAh2zcsH/yT2xc3tu5C84oQ3RnX3MAsGA1UdDwQEAwIBhjAfBgNVHSMEGDAW
+gBRi+wohW39DbhHaCVRQa/XSlnHxnjBVBgNVHR8ETjBMMEqgSKBGhkRodHRwOi8v
+Y3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNyb3NvZnRDb2Rl
+VmVyaWZSb290LmNybDANBgkqhkiG9w0BAQUFAAOCAgEAQZ8SFg7t7iSR/l1fEKCX
+qHSeDczzEVFjEipbuV3Hr6xaolwAAstyjg2SJbZSJlO+PHeiwoyAidhBGFcauNBQ
+V8Mo5/rQRIBOfokzKG86R+9eIx7yev46KhnerWsaKEd4bpu/63NnWJonGdjrXD0I
+WGBinVkUz552s8/ZYq97cqyA+eAVq5x6XEsccIPbcJQRe9IqTHc03DbMzUbUCxmM
+CfZhCt5IHJs//wtD1/EBgGGr2nDPp4RErLMcziYw9cpfaWc1g26jiIwPuJOb1lsG
+FeZLfblQqwngeyvrTBpruhzKeRvFn4G95EPwLeGV1aFmB2zm5UVuBgvb9bxDlbiK
+pQVV5ZZorB0x2zgEvBw9thl10bWAKoIeOFxGdiVsTYt0g1RDded7s5W/7hNgng7N
++8r3OipSoKYlSXoXGTrolB8sggQDXqlRPO9Sb3tDztorgbR/2hosYmXR7Cg3gjAU
+MZ0Vvf+syIslbkG9HyN0G+P8+Uvi60bmgVFTDslKhHiN7Ki4D41Mf+D2sNLFOLJP
+gsQQ/oe4jsa2sPh8Eqe0g038HotqW/nVZHk+0eN+GvbIHlnbTcpgXFd+olh37PoF
+JgAyp/b/E06Y2G9bQ0yzNuQlvNk7nzjgDum+gebJHw8CL406Eoiojhux53aRPhje
+NhIo/vdmVXxb1GRIdFLDIYk=
+-----END CERTIFICATE-----
diff --git a/config.bat b/config.bat
@@ -1,18 +1,21 @@
+::Change code page to UTF-8
+chcp 65001
+
+::Use SignTool from Windows Driver Kit
 set _USBPCAP_SIGNTOOL="C:\WinDDK\7600.16385.1\bin\amd64\SignTool.exe"
 
 ::Development build - on x64 you have to use TESTSIGNING to load driver
 set _USBPCAP_SIGN_OPTS_SHA1=sign /v /fd sha1 /f %~dp0certificates\USBPcapTestCert.pfx /tr http://timestamp.geotrust.com /td sha1
-set _USBPCAP_SIGN_OPTS_SHA256=sign /v /fd sha256 /f %~dp0certificates\USBPcapTestCert.pfx /tr http://timestamp.geotrust.com /td sha256
-
+::set _USBPCAP_SIGN_OPTS_SHA256=sign /v /fd sha256 /f %~dp0certificates\USBPcapTestCert.pfx /tr http://timestamp.geotrust.com /td sha256
 ::Release build. Keep in mind you would have to replace the certificate
 ::name with your personal/company certificate.
 ::Also, you might want to use different cross-certificate depending on the
 ::certificate authority that you got the certificate from
 ::
 ::For more information check out the Kernel-Mode Code Signing Walkthrough
 ::http://msdn.microsoft.com/en-us/library/windows/hardware/gg487328.aspx
-::set _USBPCAP_SIGN_OPTS_SHA1=sign /a /v /fd sha1 /ac "%~dp0certificates\VeriSign Class 3 Public Primary Certification Authority - G5.cer" /s my /n "Tomasz Mon" /tr http://timestamp.geotrust.com /td sha1
-::set _USBPCAP_SIGN_OPTS_SHA256=sign /a /v /fd sha256 /as /ac "%~dp0certificates\VeriSign Class 3 Public Primary Certification Authority - G5.cer" /s my /n "Tomasz Mon" /tr http://timestamp.geotrust.com /td sha256
+::set _USBPCAP_SIGN_OPTS_SHA1=sign /a /v /fd sha1 /ac "%~dp0certificates\Certum Trusted Network CA.crt" /n "Tomasz Moń" /tr http://sha1timestamp.ws.symantec.com/sha1/timestamp /td sha1
+::set _USBPCAP_SIGN_OPTS_SHA256=sign /a /v /fd sha256 /ac "%~dp0certificates\Certum Trusted Network CA.crt" /n "Tomasz Moń" /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256
 
 ::_USBPCAP_VERSION specifies version of the installer.
 ::To update driver version edit USBPcapDriver\USBPcap.rc and

diff --git a/driver_build.bat b/driver_build.bat
@@ -38,14 +38,14 @@ if exist build%BUILD_ALT_DIR%.err goto error
 
 ::Sign the USBPcapCMD.exe, it is not critical so do not fail on error
 %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% USBPcapCMD\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcapCMD.exe
-%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapCMD\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcapCMD.exe
+::%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapCMD\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcapCMD.exe
 
 %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.sys
 if errorlevel 1 goto error
-if "%DDK_TARGET_OS%"=="Win7" (
-    %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.sys
-    if errorlevel 1 goto error
-)
+::if "%DDK_TARGET_OS%"=="Win7" (
+::    %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.sys
+::    if errorlevel 1 goto error
+::)
 
 Inf2cat.exe /driver:USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\ /os:%USBPcap_OS%
 
@@ -63,9 +63,9 @@ copy USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.inf %3
 copy USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\%USBPcap_catalog% %3
 %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% %3\%USBPcap_catalog%
 if errorlevel 1 goto error
-if "%DDK_TARGET_OS%"=="Win7" (
-    %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% %3\%USBPcap_catalog%
-    if errorlevel 1 goto error
-)
+::if "%DDK_TARGET_OS%"=="Win7" (
+::    %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% %3\%USBPcap_catalog%
+::    if errorlevel 1 goto error
+::)
 
 exit /B 0
diff --git a/driver_build_win7_64bit.bat b/driver_build_win7_64bit.bat
@@ -26,7 +26,7 @@ CALL config.bat
 build -ceZg
 if exist build%BUILD_ALT_DIR%.err goto error
 
-%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.sys
+%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\USBPcap.sys
 if errorlevel 1 goto error
 
 Inf2cat.exe /driver:USBPcapDriver\obj%BUILD_ALT_DIR%\%USBPcap_arch%\ /os:%USBPcap_OS%

diff --git a/driver_build_win8.bat b/driver_build_win8.bat
@@ -22,7 +22,7 @@ if exist %USBPcap_builddir% RMDIR /S /Q %USBPcap_builddir%
 Nmake2MsBuild dirs
 MSBuild dirs.sln /p:Configuration="Win8 Release"
 
-%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% %USBPcap_builddir%\USBPcap.sys
+%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% %USBPcap_builddir%\USBPcap.sys
 if errorlevel 1 goto error
 
 Inf2cat.exe /driver:%USBPcap_builddir%\ /os:%USBPcap_OS%
@@ -38,7 +38,7 @@ exit /B 1
 copy %USBPcap_builddir%\USBPcap.sys %2
 copy %USBPcap_builddir%\USBPcap.inf %2
 copy %USBPcap_builddir%\%USBPcap_catalog% %2
-%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% %2\%USBPcap_catalog%
+%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% %2\%USBPcap_catalog%
 if errorlevel 1 goto error
 
 exit /B 0
diff --git a/nsis/USBPcap.nsi b/nsis/USBPcap.nsi
@@ -45,7 +45,7 @@ RequestExecutionLevel admin
   ; That will have written an uninstaller binary for us.  Now we sign it
   ; with your favourite code signing tool.
   !system '$%_USBPCAP_SIGNTOOL% $%_USBPCAP_SIGN_OPTS_SHA1% $%TEMP%\Uninstall.exe' = 0
-  !system '$%_USBPCAP_SIGNTOOL% $%_USBPCAP_SIGN_OPTS_SHA256% $%TEMP%\Uninstall.exe' = 0
+  ;!system '$%_USBPCAP_SIGNTOOL% $%_USBPCAP_SIGN_OPTS_SHA256% $%TEMP%\Uninstall.exe' = 0
 
   ; Good.  Now we can carry on writing the real installer.
 
@@ -111,40 +111,6 @@ done:
     Quit
   ${EndIf}
 
-  ; Make sure we have the SHA-2 hotfix installed on Windows 7
-  ; https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11766
-  ${If} ${IsWin7}
-  ${OrIf} ${IsWin2008R2}
-    ; KB3033929 check is based on dokan wix installer
-    ; https://github.com/dokan-dev/dokany/commit/90bd2c88c83dae9986dca60ea4d6c386ad9e0ed2
-    ; (WINTRUSTVERSION >= v6.1.7601.18741 AND WINTRUSTVERSION < v6.1.7601.22000) OR
-    ;  WINTRUSTVERSION >= v6.1.7601.22948)
-    Var /GLOBAL WINTRUSTVERSION
-    ${GetFileVersion} "$SYSDIR\Wintrust.dll" $WINTRUSTVERSION
-    ${VersionCompare} $WINTRUSTVERSION "6.1.7601.22948" $R0
-    ${If} $R0 == 2
-      ; $WINTRUSTVERSION < "6.1.7601.22948"
-      ${VersionCompare} $WINTRUSTVERSION "6.1.7601.22000" $R0
-      ${If} $R0 == 2
-        ; $WINTRUSTVERSION < "6.1.7601.22000"
-        ${VersionCompare} $WINTRUSTVERSION "6.1.7601.18741" $R0
-        ${If} $R0 == 2
-          ; MessageBox MB_OK "WINTRUSTVERSION < 6.1.7601.18741"
-          MessageBox MB_OK "Hotfix KB 3033929 must be installed on Windows 7 or 2008R2."
-          Quit
-        ${Else}
-          ; MessageBox MB_OK "WINTRUSTVERSION >= 6.1.7601.18741 AND WINTRUSTVERSION < 6.1.7601.22000"
-        ${EndIf}
-      ${Else}
-        ; $WINTRUSTVERSION >= "6.1.7601.22000"
-        MessageBox MB_OK "Hotfix KB 3033929 must be installed on Windows 7 or 2008R2."
-        Quit
-      ${EndIf}
-    ${Else}
-      ; MessageBox MB_OK "WINTRUSTVERSION >= 6.1.7601.22948"
-    ${EndIf}
-  ${EndIf}
-
   ${If} ${RunningX64}
     StrCpy $INSTDIR "$PROGRAMFILES64\USBPcap"
   ${Else}

diff --git a/nsis/build_installer.bat b/nsis/build_installer.bat
@@ -27,7 +27,7 @@ if not defined nsis_compiler (
 if defined nsis_compiler (
     "%nsis_compiler%\makensis.exe" %~dp0USBPcap.nsi
     %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA1% USBPcapSetup-%_USBPCAP_VERSION%.exe
-    %_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapSetup-%_USBPCAP_VERSION%.exe
+    ::%_USBPCAP_SIGNTOOL% %_USBPCAP_SIGN_OPTS_SHA256% USBPcapSetup-%_USBPCAP_VERSION%.exe
     pause
 ) else (
     echo "Error, build system cannot find NSIS! Please reinstall it, add makensis.exe to your PATH, or defined the NSIS_HOME environment variable."