Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: automatically install test-certificate and validate they are installed on LocalMachine for signtool-verify tasks #232

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: automatically install test-certificate and validate they are installed on LocalMachine for signtool-verify tasks #232

wants to merge 12 commits into from

Conversation

wmmc88
Copy link
Collaborator

@wmmc88 wmmc88 commented Oct 7, 2024
edited
Loading

Users often make the mistake of installing the test-signed certificate to Current User store instead of Local Machine. The signtool-verify cargo-make tasks were originally added to help diagnose these issues.

Using /kp with signtool to validate kernel signing policy is not possible since the test-cert will terminate at a root that isn't trusted by windows: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/test-signing . Using /pa is not sufficient since it will pass even when the certificate is only installed in Current User. Additional checks were added to make sure that on top of /pa passing, the certificate is also installed in the Local Machine stores

Certificate Management Enhancements:

  • Added new tasks for installing and validating certificates in the rust-driver-makefile.toml file. This includes the install-certificate and validate-certificate-installed tasks, which ensure that the WDRLocalTestCert certificate is correctly installed and validated per Windows requirements. (crates/wdk-build/rust-driver-makefile.toml) [1] [2]
  • Implemented functions in cargo_make.rs for handling certificate installation, validation, and checking if the process is running with admin privileges. (crates/wdk-build/src/cargo_make.rs)
  • Updated README.md to include instructions for installing and validating certificates. (README.md)

Workflow and Utility Enhancements:

  • Updated the GitHub Actions workflow to enable WDK_BUILD_ENABLE_SIGNTOOL_VERIFY for signature verification. (.github/workflows/build.yaml)
  • Added utility functions in utils.rs for checking admin privileges using Windows APIs. (crates/wdk-build/src/utils.rs)

closes microsoft/Windows-rust-driver-samples#30

@wmmc88 wmmc88 self-assigned this Oct 7, 2024
@wmmc88 wmmc88 mentioned this pull request Oct 7, 2024
Open
wmmc88
wmmc88 commented Oct 9, 2024
View reviewed changes
crates/wdk-build/src/utils.rs Outdated Show resolved Hide resolved
@wmmc88
Update crates/wdk-build/src/utils.rs
74662de 
Signed-off-by: Melvin Wang <melvin.mc.wang@gmail.com>
@wmmc88 wmmc88 changed the title feat: use stricter verification policy for signtool-verify task to align with Windows requirements feat: automatically install test-certificate and validate they are installed on LocalMachine for signtool-verify tasks Oct 9, 2024
@wmmc88 wmmc88 marked this pull request as ready for review October 11, 2024 15:32
wmmc88
wmmc88 commented Oct 12, 2024
View reviewed changes
crates/wdk-build/src/cargo_make.rs
pub fn install_certificate_condition_script() -> anyhow::Result<()> {
condition_script(|| {
if is_wdrlocaltestcert_installed()? {
let cargo_make_task_name = env::var(CARGO_MAKE_CURRENT_TASK_NAME_ENV_VAR)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cargo make needs uprev to min 0.37.22 to get bugfix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wmmc88 wmmc88

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Driver does not attach to device and does not log anything
1 participant
@wmmc88