VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2016-01-01 02:09:44 +0100
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2016-01-03 00:15:02 +0100
commit6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7 (patch)
tree14cc0ee5ab6dfd44bd75076bcbc3844b6c538771
parent4181283f2968ccd3efe2fa3b9e49f5b70d174926 (diff)
downloadVeraCrypt-6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7.tar.gz
VeraCrypt-6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7.zip
Windows: sign binaries using both SHA-1 and SHA-256 for maximum compatibility. Add requirement for Windows SDK 8.1 that contains signtool.exe version that enables this.
-rw-r--r--README.md526
-rw-r--r--src/Readme.txt3
-rw-r--r--src/Signing/sign.bat24
-rw-r--r--src/Signing/sign_test.bat21
4 files changed, 289 insertions, 285 deletions
diff --git a/README.md b/README.md
index 1cdcc00d..8aad8a97 100644
--- a/README.md
+++ b/README.md
@@ -1,262 +1,264 @@
-This archive contains the source code of VeraCrypt.
-It is based on original TrueCrypt 7.1a with security enhancements and modifications.
-
-
-Important
-=========
-
-You may use the source code contained in this archive only if you accept and
-agree to the license terms contained in the file 'License.txt', which is
-included in this archive.
-
-Note that the license specifies, for example, that a derived work must not be
-called 'TrueCrypt' or 'VeraCrypt'
-
-
-
-Contents
-========
-
-I. Windows
- Requirements for Building VeraCrypt for Windows
- Instructions for Building VeraCrypt for Windows
- Instructions for Signing and Packaging VeraCrypt for Windows
-
-II. Linux and Mac OS X
- Requirements for Building VeraCrypt for Linux and Mac OS X
- Instructions for Building VeraCrypt for Linux and Mac OS X
- Mac OS X specifics
-
-III. FreeBSD and OpenSolaris
-
-IV. Third-Party Developers (Contributors)
-
-V. Legal Information
-
-VI. Further Information
-
-
-
-I. Windows
-==========
-
-Requirements for Building VeraCrypt for Windows:
-------------------------------------------------
-
-- Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible)
-- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads)
-- Microsoft Windows SDK for Windows 7 (configured for Visual C++)
-- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1)
-- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
- header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20)
-- NASM assembler 2.08 or compatible
-- gzip compressor
-- upx packer (available at http://upx.sourceforge.net/)
-
-IMPORTANT:
-
-The 64-bit editions of Windows Vista and later versions of Windows, and in
-some cases (e.g. playback of HD DVD content) also the 32-bit editions, do not
-allow the VeraCrypt driver to run without an appropriate digital signature.
-Therefore, all .sys files in official VeraCrypt binary packages are digitally
-signed with the digital certificate of the IDRIX, which was
-issued by Thawte certification authority. At the end of each official .exe and
-.sys file, there are embedded digital signatures and all related certificates
-(i.e. all certificates in the relevant certification chain, such as the
-certification authority certificates, CA-MS cross-certificate, and the
-IDRIX certificate).
-Keep this in mind if you compile VeraCrypt
-and compare your binaries with the official binaries. If your binaries are
-unsigned, the sizes of the official binaries will usually be approximately
-10 KB greater than sizes of your binaries (there may be further differences
-if you use a different version of the compiler, or if you install a different
-or no service pack for Visual Studio, or different hotfixes for it, or if you
-use different versions of the required SDKs).
-
-
-Instructions for Building VeraCrypt for Windows:
-------------------------------------------------
-
-1) Create an environment variable 'MSVC16_ROOT' pointing to the folder 'MSVC15'
- extracted from the Visual C++ 1.52 self-extracting package.
-
- Note: The 16-bit installer MSVC15\SETUP.EXE cannot be run on 64-bit Windows,
- but it is actually not necessary to run it. You only need to extract the
- folder 'MSVC15', which contains the 32-bit binaries required to build the
- VeraCrypt Boot Loader.
-
-2) If you have installed the Windows Driver Development Kit in another
- directory than '%SYSTEMDRIVE%\WinDDK', create an environment variable
- 'WINDDK_ROOT' pointing to the DDK installation directory.
-
-3) Copy the PKCS #11 header files to a standard include path or create an
- environment variable 'PKCS11_INC' pointing to the directory where
- the PKCS #11 header files are installed.
-
-4) Open the solution file 'VeraCrypt.sln' in Microsoft Visual Studio 2008.
-
-5) Select 'All' as the active solution configuration.
-
-6) Build the solution.
-
-7) If successful, there should be newly built VeraCrypt binaries in the
- 'Release' folder.
-
-Instructions for Signing and Packaging VeraCrypt for Windows:
--------------------------------------------------------------
-
-The folder "Signing" contains a batch file (sign.bat) that will sign all
-VeraCrypt components using a code signing certificate present on the
-certificate store and also build the final installation setup.
-The batch file suppose that the code signing certificate is issued by Thawt.
-This is the case for IDRIX's certificate. If yours is issued by another CA,
-then you should put the Root and Intermediate certificates in the "Signing"
-folder and then modify sign.bat accordingly.
-
-
-II. Linux and Mac OS X
-======================
-
-Requirements for Building VeraCrypt for Linux and Mac OS X:
------------------------------------------------------------
-
-- GNU Make
-- GNU C++ Compiler 4.0 or compatible
-- Apple Xcode (Mac OS X only)
-- NASM assembler 2.08 or compatible (x86/x64 architecture only)
-- pkg-config
-- makeself (Linux only)
-- wxWidgets 3.0 shared library and header files installed or
- wxWidgets 3.0 library source code (available at http://www.wxwidgets.org)
-- FUSE library and header files (available at http://fuse.sourceforge.net
- and https://osxfuse.github.io/)
-- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
- header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20).
- They are already included in the source tree under the directory PKCS11 but
- it is possible to override it using the environment variable 'PKCS11_INC'.
-
-
-Instructions for Building VeraCrypt for Linux and Mac OS X:
------------------------------------------------------------
-
-1) Change the current directory to the root of the VeraCrypt source code.
-
-2) If you have no wxWidgets shared library installed, run the following
- command to configure the wxWidgets static library for VeraCrypt and to
- build it:
-
- $ make WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
-
- The variable WX_ROOT must point to the location of the source code of the
- wxWidgets library. Output files will be placed in the './wxrelease/'
- directory.
-
-3) To build VeraCrypt, run the following command:
-
- $ make
-
- or if you have no wxWidgets shared library installed:
-
- $ make WXSTATIC=1
-
-4) If successful, the VeraCrypt executable should be located in the directory
- 'Main'.
-
-By default, a universal executable supporting both graphical and text user
-interface (through the switch --text) is built.
-On Linux, a console-only executable, which requires no GUI library, can be
-built using the 'NOGUI' parameter:
-
- $ make NOGUI=1 WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
- $ make NOGUI=1 WXSTATIC=1
-
-On MacOSX, building a console-only executable is not supported.
-
-Mac OS X specifics:
------------------------------------------------------------
-
-Under MacOSX, the SDK for OSX 10.7 is used by default. To use another version
-of the SDK (i.e. 10.6), you can export the environment variable VC_OSX_TARGET:
-
- $ export VC_OSX_TARGET=10.6
-
-
-Before building under MacOSX, pkg-config must be installed if not yet available.
-Get it from http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz and
-compile using the following commands :
-
- $ ./configure --with-internal-glib
- $ make
- $ sudo make install
-
-After making sure pkg-config is available, download and install OSXFuse from
-https://osxfuse.github.io/ (MacFUSE compatibility layer must selected)
-
-The script build_veracrypt_macosx.sh available under "src/Build" performs the
-full build of VeraCrypt including the creation of the installer pkg. It expects
-to find the wxWidgets 3.0.2 sources at the same level as where you put
-VeraCrypt sources (i.e. if "src" path is "/Users/joe/Projects/VeraCrypt/src"
-then wxWidgets should be at "/Users/joe/Projects/wxWidgets-wxWidgets-3.0.2")
-
-The build process uses Code Signing certificates whose ID is specified in
-src/Main/Main.make (lines 167 & 169). You'll have to modify these lines to put
-the ID of your Code Signing certificates or comment them if you don't have one.
-
-Because of incompatibility issues with OSXFUSE, the SDK 10.9 generates a
-VeraCrypt binary that has issues communicating with the OSXFUSE kernel extension.
-Thus, we recommend to use the SDK 10.8 or earlier for building VeraCrypt.
-
-
-
-III. FreeBSD and OpenSolaris
-============================
-
-FreeBSD and OpenSolaris are not yet supported.
-
-
-
-IV. Third-Party Developers (Contributors)
-=========================================
-
-If you intend to implement a feature, please contact us first to make sure:
-
-1) That the feature has not been implemented (we may have already implemented
- it, but haven't released the code yet).
-2) That the feature is acceptable.
-3) Whether we need help of third-party developers with implementing the feature.
-
-Information on how to contact us can be found at:
-https://veracrypt.codeplex.com/
-
-
-
-V. Legal Information
-====================
-
-Copyright Information
----------------------
-
-This software as a whole:
-Copyright (c) 2013-2015 IDRIX. All rights reserved.
-
-Portions of this software:
-Copyright (c) 2003-2012 TrueCrypt Developers Association. All rights reserved.
-Copyright (c) 1998-2000 Paul Le Roux. All rights reserved.
-Copyright (c) 1998-2008 Brian Gladman, Worcester, UK. All rights reserved.
-Copyright (c) 2002-2004 Mark Adler. All rights reserved.
-For more information, please see the legal notices attached to parts of the
-source code.
-
-Trademark Information
----------------------
-
-Any trademarks contained in the source code, binaries, and/or in the
-documentation, are the sole property of their respective owners.
-
-
-
-VI. Further Information
-=======================
-
-http://www.veracrypt.fr
-
+This archive contains the source code of VeraCrypt.
+It is based on original TrueCrypt 7.1a with security enhancements and modifications.
+
+
+Important
+=========
+
+You may use the source code contained in this archive only if you accept and
+agree to the license terms contained in the file 'License.txt', which is
+included in this archive.
+
+Note that the license specifies, for example, that a derived work must not be
+called 'TrueCrypt' or 'VeraCrypt'
+
+
+
+Contents
+========
+
+I. Windows
+ Requirements for Building VeraCrypt for Windows
+ Instructions for Building VeraCrypt for Windows
+ Instructions for Signing and Packaging VeraCrypt for Windows
+
+II. Linux and Mac OS X
+ Requirements for Building VeraCrypt for Linux and Mac OS X
+ Instructions for Building VeraCrypt for Linux and Mac OS X
+ Mac OS X specifics
+
+III. FreeBSD and OpenSolaris
+
+IV. Third-Party Developers (Contributors)
+
+V. Legal Information
+
+VI. Further Information
+
+
+
+I. Windows
+==========
+
+Requirements for Building VeraCrypt for Windows:
+------------------------------------------------
+
+- Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible)
+- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads)
+- Microsoft Windows SDK for Windows 7 (configured for Visual C++)
+- Microsoft Windows SDK for Windows 8.1 (needed for SHA-256 code signing)
+- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1)
+- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
+ header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20)
+- NASM assembler 2.08 or compatible
+- gzip compressor
+- upx packer (available at http://upx.sourceforge.net/)
+
+IMPORTANT:
+
+The 64-bit editions of Windows Vista and later versions of Windows, and in
+some cases (e.g. playback of HD DVD content) also the 32-bit editions, do not
+allow the VeraCrypt driver to run without an appropriate digital signature.
+Therefore, all .sys files in official VeraCrypt binary packages are digitally
+signed with the digital certificate of the IDRIX, which was
+issued by Thawte certification authority. At the end of each official .exe and
+.sys file, there are embedded digital signatures and all related certificates
+(i.e. all certificates in the relevant certification chain, such as the
+certification authority certificates, CA-MS cross-certificate, and the
+IDRIX certificate).
+Keep this in mind if you compile VeraCrypt
+and compare your binaries with the official binaries. If your binaries are
+unsigned, the sizes of the official binaries will usually be approximately
+10 KB greater than sizes of your binaries (there may be further differences
+if you use a different version of the compiler, or if you install a different
+or no service pack for Visual Studio, or different hotfixes for it, or if you
+use different versions of the required SDKs).
+
+
+Instructions for Building VeraCrypt for Windows:
+------------------------------------------------
+
+1) Create an environment variable 'MSVC16_ROOT' pointing to the folder 'MSVC15'
+ extracted from the Visual C++ 1.52 self-extracting package.
+
+ Note: The 16-bit installer MSVC15\SETUP.EXE cannot be run on 64-bit Windows,
+ but it is actually not necessary to run it. You only need to extract the
+ folder 'MSVC15', which contains the 32-bit binaries required to build the
+ VeraCrypt Boot Loader.
+
+2) If you have installed the Windows Driver Development Kit in another
+ directory than '%SYSTEMDRIVE%\WinDDK', create an environment variable
+ 'WINDDK_ROOT' pointing to the DDK installation directory.
+
+3) Copy the PKCS #11 header files to a standard include path or create an
+ environment variable 'PKCS11_INC' pointing to the directory where
+ the PKCS #11 header files are installed.
+
+4) Open the solution file 'VeraCrypt.sln' in Microsoft Visual Studio 2008.
+
+5) Select 'All' as the active solution configuration.
+
+6) Build the solution.
+
+7) If successful, there should be newly built VeraCrypt binaries in the
+ 'Release' folder.
+
+Instructions for Signing and Packaging VeraCrypt for Windows:
+-------------------------------------------------------------
+
+First, create an environment variable 'WSDK81' pointing to the Windows SDK
+for Windows 8.1 installation directory.
+The folder "Signing" contains a batch file (sign.bat) that will sign all
+VeraCrypt components using a code signing certificate present on the
+certificate store and also build the final installation setup.
+The batch file suppose that the code signing certificate is issued by Thawt.
+This is the case for IDRIX's certificate. If yours is issued by another CA,
+then you should put the Root and Intermediate certificates in the "Signing"
+folder and then modify sign.bat accordingly.
+
+
+II. Linux and Mac OS X
+======================
+
+Requirements for Building VeraCrypt for Linux and Mac OS X:
+-----------------------------------------------------------
+
+- GNU Make
+- GNU C++ Compiler 4.0 or compatible
+- Apple Xcode (Mac OS X only)
+- NASM assembler 2.08 or compatible (x86/x64 architecture only)
+- pkg-config
+- makeself (Linux only)
+- wxWidgets 3.0 shared library and header files installed or
+ wxWidgets 3.0 library source code (available at http://www.wxwidgets.org)
+- FUSE library and header files (available at http://fuse.sourceforge.net
+ and https://osxfuse.github.io/)
+- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
+ header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20).
+ They are already included in the source tree under the directory PKCS11 but
+ it is possible to override it using the environment variable 'PKCS11_INC'.
+
+
+Instructions for Building VeraCrypt for Linux and Mac OS X:
+-----------------------------------------------------------
+
+1) Change the current directory to the root of the VeraCrypt source code.
+
+2) If you have no wxWidgets shared library installed, run the following
+ command to configure the wxWidgets static library for VeraCrypt and to
+ build it:
+
+ $ make WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
+
+ The variable WX_ROOT must point to the location of the source code of the
+ wxWidgets library. Output files will be placed in the './wxrelease/'
+ directory.
+
+3) To build VeraCrypt, run the following command:
+
+ $ make
+
+ or if you have no wxWidgets shared library installed:
+
+ $ make WXSTATIC=1
+
+4) If successful, the VeraCrypt executable should be located in the directory
+ 'Main'.
+
+By default, a universal executable supporting both graphical and text user
+interface (through the switch --text) is built.
+On Linux, a console-only executable, which requires no GUI library, can be
+built using the 'NOGUI' parameter:
+
+ $ make NOGUI=1 WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
+ $ make NOGUI=1 WXSTATIC=1
+
+On MacOSX, building a console-only executable is not supported.
+
+Mac OS X specifics:
+-----------------------------------------------------------
+
+Under MacOSX, the SDK for OSX 10.7 is used by default. To use another version
+of the SDK (i.e. 10.6), you can export the environment variable VC_OSX_TARGET:
+
+ $ export VC_OSX_TARGET=10.6
+
+
+Before building under MacOSX, pkg-config must be installed if not yet available.
+Get it from http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz and
+compile using the following commands :
+
+ $ ./configure --with-internal-glib
+ $ make
+ $ sudo make install
+
+After making sure pkg-config is available, download and install OSXFuse from
+https://osxfuse.github.io/ (MacFUSE compatibility layer must selected)
+
+The script build_veracrypt_macosx.sh available under "src/Build" performs the
+full build of VeraCrypt including the creation of the installer pkg. It expects
+to find the wxWidgets 3.0.2 sources at the same level as where you put
+VeraCrypt sources (i.e. if "src" path is "/Users/joe/Projects/VeraCrypt/src"
+then wxWidgets should be at "/Users/joe/Projects/wxWidgets-wxWidgets-3.0.2")
+
+The build process uses Code Signing certificates whose ID is specified in
+src/Main/Main.make (lines 167 & 169). You'll have to modify these lines to put
+the ID of your Code Signing certificates or comment them if you don't have one.
+
+Because of incompatibility issues with OSXFUSE, the SDK 10.9 generates a
+VeraCrypt binary that has issues communicating with the OSXFUSE kernel extension.
+Thus, we recommend to use the SDK 10.8 or earlier for building VeraCrypt.
+
+
+
+III. FreeBSD and OpenSolaris
+============================
+
+FreeBSD and OpenSolaris are not yet supported.
+
+
+
+IV. Third-Party Developers (Contributors)
+=========================================
+
+If you intend to implement a feature, please contact us first to make sure:
+
+1) That the feature has not been implemented (we may have already implemented
+ it, but haven't released the code yet).
+2) That the feature is acceptable.
+3) Whether we need help of third-party developers with implementing the feature.
+
+Information on how to contact us can be found at:
+https://veracrypt.codeplex.com/
+
+
+
+V. Legal Information
+====================
+
+Copyright Information
+---------------------
+
+This software as a whole:
+Copyright (c) 2013-2015 IDRIX. All rights reserved.
+
+Portions of this software:
+Copyright (c) 2003-2012 TrueCrypt Developers Association. All rights reserved.
+Copyright (c) 1998-2000 Paul Le Roux. All rights reserved.
+Copyright (c) 1998-2008 Brian Gladman, Worcester, UK. All rights reserved.
+Copyright (c) 2002-2004 Mark Adler. All rights reserved.
+For more information, please see the legal notices attached to parts of the
+source code.
+
+Trademark Information
+---------------------
+
+Any trademarks contained in the source code, binaries, and/or in the
+documentation, are the sole property of their respective owners.
+
+
+
+VI. Further Information
+=======================
+
+http://www.veracrypt.fr
diff --git a/src/Readme.txt b/src/Readme.txt
index 3e33b570..7b1fe67e 100644
--- a/src/Readme.txt
+++ b/src/Readme.txt
@@ -46,6 +46,7 @@ Requirements for Building VeraCrypt for Windows:
- Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible)
- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads)
- Microsoft Windows SDK for Windows 7 (configured for Visual C++)
+- Microsoft Windows SDK for Windows 8.1 (needed for SHA-256 code signing)
- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1)
- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20)
@@ -105,6 +106,8 @@ Instructions for Building VeraCrypt for Windows:
Instructions for Signing and Packaging VeraCrypt for Windows:
-------------------------------------------------------------
+First, create an environment variable 'WSDK81' pointing to the Windows SDK
+for Windows 8.1 installation directory.
The folder "Signing" contains a batch file (sign.bat) that will sign all
VeraCrypt components using a code signing certificate present on the
certificate store and also build the final installation setup.
diff --git a/src/Signing/sign.bat b/src/Signing/sign.bat
index 5e19cd10..8c1e3920 100644
--- a/src/Signing/sign.bat
+++ b/src/Signing/sign.bat
@@ -1,15 +1,12 @@
-PATH=%PATH%;%DDK%\bin\x86
+PATH=%PATH%;%WSDK81%\bin\x86
-signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys"
-signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt-x64.sys"
+rem sign using SHA-1
+signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys"
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander.exe"
-
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander-x64.exe"
+rem sign using SHA-256
+signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys"
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
cd "..\Release\Setup Files\"
@@ -21,6 +18,9 @@ del *.xml
cd "..\..\Signing"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-1
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-256
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
-pause \ No newline at end of file
+pause
diff --git a/src/Signing/sign_test.bat b/src/Signing/sign_test.bat
index d81aac99..c36f0536 100644
--- a/src/Signing/sign_test.bat
+++ b/src/Signing/sign_test.bat
@@ -1,18 +1,13 @@
-PATH=%PATH%;%DDK%\bin\x86
+PATH=%PATH%;%WSDK81%\bin\x86
set PFXNAME=TestCertificate\idrix_codeSign.pfx
set PFXPASSWORD=idrix
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt-x64.sys"
+rem sign using SHA-1
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander.exe"
-
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptx-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander-x64.exe"
+rem sign using SHA-256
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
cd "..\Release\Setup Files\"
@@ -24,6 +19,10 @@ del *.xml
cd "..\..\Signing"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-1
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+
+rem sign using SHA-256
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
pause \ No newline at end of file