diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2016-01-01 02:09:44 +0100 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2016-01-03 00:15:02 +0100 |
commit | 6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7 (patch) | |
tree | 14cc0ee5ab6dfd44bd75076bcbc3844b6c538771 | |
parent | 4181283f2968ccd3efe2fa3b9e49f5b70d174926 (diff) | |
download | VeraCrypt-6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7.tar.gz VeraCrypt-6cb1eefc49dbac29fb5a5bd2bf42569b6882d9c7.zip |
Windows: sign binaries using both SHA-1 and SHA-256 for maximum compatibility. Add requirement for Windows SDK 8.1 that contains signtool.exe version that enables this.
-rw-r--r-- | README.md | 526 | ||||
-rw-r--r-- | src/Readme.txt | 3 | ||||
-rw-r--r-- | src/Signing/sign.bat | 24 | ||||
-rw-r--r-- | src/Signing/sign_test.bat | 21 |
4 files changed, 289 insertions, 285 deletions
@@ -1,262 +1,264 @@ -This archive contains the source code of VeraCrypt. -It is based on original TrueCrypt 7.1a with security enhancements and modifications. - - -Important -========= - -You may use the source code contained in this archive only if you accept and -agree to the license terms contained in the file 'License.txt', which is -included in this archive. - -Note that the license specifies, for example, that a derived work must not be -called 'TrueCrypt' or 'VeraCrypt' - - - -Contents -======== - -I. Windows - Requirements for Building VeraCrypt for Windows - Instructions for Building VeraCrypt for Windows - Instructions for Signing and Packaging VeraCrypt for Windows - -II. Linux and Mac OS X - Requirements for Building VeraCrypt for Linux and Mac OS X - Instructions for Building VeraCrypt for Linux and Mac OS X - Mac OS X specifics - -III. FreeBSD and OpenSolaris - -IV. Third-Party Developers (Contributors) - -V. Legal Information - -VI. Further Information - - - -I. Windows -========== - -Requirements for Building VeraCrypt for Windows: ------------------------------------------------- - -- Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible) -- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads) -- Microsoft Windows SDK for Windows 7 (configured for Visual C++) -- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1) -- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20 - header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20) -- NASM assembler 2.08 or compatible -- gzip compressor -- upx packer (available at http://upx.sourceforge.net/) - -IMPORTANT: - -The 64-bit editions of Windows Vista and later versions of Windows, and in -some cases (e.g. playback of HD DVD content) also the 32-bit editions, do not -allow the VeraCrypt driver to run without an appropriate digital signature. -Therefore, all .sys files in official VeraCrypt binary packages are digitally -signed with the digital certificate of the IDRIX, which was -issued by Thawte certification authority. At the end of each official .exe and -.sys file, there are embedded digital signatures and all related certificates -(i.e. all certificates in the relevant certification chain, such as the -certification authority certificates, CA-MS cross-certificate, and the -IDRIX certificate). -Keep this in mind if you compile VeraCrypt -and compare your binaries with the official binaries. If your binaries are -unsigned, the sizes of the official binaries will usually be approximately -10 KB greater than sizes of your binaries (there may be further differences -if you use a different version of the compiler, or if you install a different -or no service pack for Visual Studio, or different hotfixes for it, or if you -use different versions of the required SDKs). - - -Instructions for Building VeraCrypt for Windows: ------------------------------------------------- - -1) Create an environment variable 'MSVC16_ROOT' pointing to the folder 'MSVC15' - extracted from the Visual C++ 1.52 self-extracting package. - - Note: The 16-bit installer MSVC15\SETUP.EXE cannot be run on 64-bit Windows, - but it is actually not necessary to run it. You only need to extract the - folder 'MSVC15', which contains the 32-bit binaries required to build the - VeraCrypt Boot Loader. - -2) If you have installed the Windows Driver Development Kit in another - directory than '%SYSTEMDRIVE%\WinDDK', create an environment variable - 'WINDDK_ROOT' pointing to the DDK installation directory. - -3) Copy the PKCS #11 header files to a standard include path or create an - environment variable 'PKCS11_INC' pointing to the directory where - the PKCS #11 header files are installed. - -4) Open the solution file 'VeraCrypt.sln' in Microsoft Visual Studio 2008. - -5) Select 'All' as the active solution configuration. - -6) Build the solution. - -7) If successful, there should be newly built VeraCrypt binaries in the - 'Release' folder. - -Instructions for Signing and Packaging VeraCrypt for Windows: -------------------------------------------------------------- - -The folder "Signing" contains a batch file (sign.bat) that will sign all -VeraCrypt components using a code signing certificate present on the -certificate store and also build the final installation setup. -The batch file suppose that the code signing certificate is issued by Thawt. -This is the case for IDRIX's certificate. If yours is issued by another CA, -then you should put the Root and Intermediate certificates in the "Signing" -folder and then modify sign.bat accordingly. - - -II. Linux and Mac OS X -====================== - -Requirements for Building VeraCrypt for Linux and Mac OS X: ------------------------------------------------------------ - -- GNU Make -- GNU C++ Compiler 4.0 or compatible -- Apple Xcode (Mac OS X only) -- NASM assembler 2.08 or compatible (x86/x64 architecture only) -- pkg-config -- makeself (Linux only) -- wxWidgets 3.0 shared library and header files installed or - wxWidgets 3.0 library source code (available at http://www.wxwidgets.org) -- FUSE library and header files (available at http://fuse.sourceforge.net - and https://osxfuse.github.io/) -- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20 - header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20). - They are already included in the source tree under the directory PKCS11 but - it is possible to override it using the environment variable 'PKCS11_INC'. - - -Instructions for Building VeraCrypt for Linux and Mac OS X: ------------------------------------------------------------ - -1) Change the current directory to the root of the VeraCrypt source code. - -2) If you have no wxWidgets shared library installed, run the following - command to configure the wxWidgets static library for VeraCrypt and to - build it: - - $ make WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild - - The variable WX_ROOT must point to the location of the source code of the - wxWidgets library. Output files will be placed in the './wxrelease/' - directory. - -3) To build VeraCrypt, run the following command: - - $ make - - or if you have no wxWidgets shared library installed: - - $ make WXSTATIC=1 - -4) If successful, the VeraCrypt executable should be located in the directory - 'Main'. - -By default, a universal executable supporting both graphical and text user -interface (through the switch --text) is built. -On Linux, a console-only executable, which requires no GUI library, can be -built using the 'NOGUI' parameter: - - $ make NOGUI=1 WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild - $ make NOGUI=1 WXSTATIC=1 - -On MacOSX, building a console-only executable is not supported. - -Mac OS X specifics: ------------------------------------------------------------ - -Under MacOSX, the SDK for OSX 10.7 is used by default. To use another version -of the SDK (i.e. 10.6), you can export the environment variable VC_OSX_TARGET: - - $ export VC_OSX_TARGET=10.6 - - -Before building under MacOSX, pkg-config must be installed if not yet available. -Get it from http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz and -compile using the following commands : - - $ ./configure --with-internal-glib - $ make - $ sudo make install - -After making sure pkg-config is available, download and install OSXFuse from -https://osxfuse.github.io/ (MacFUSE compatibility layer must selected) - -The script build_veracrypt_macosx.sh available under "src/Build" performs the -full build of VeraCrypt including the creation of the installer pkg. It expects -to find the wxWidgets 3.0.2 sources at the same level as where you put -VeraCrypt sources (i.e. if "src" path is "/Users/joe/Projects/VeraCrypt/src" -then wxWidgets should be at "/Users/joe/Projects/wxWidgets-wxWidgets-3.0.2") - -The build process uses Code Signing certificates whose ID is specified in -src/Main/Main.make (lines 167 & 169). You'll have to modify these lines to put -the ID of your Code Signing certificates or comment them if you don't have one. - -Because of incompatibility issues with OSXFUSE, the SDK 10.9 generates a -VeraCrypt binary that has issues communicating with the OSXFUSE kernel extension. -Thus, we recommend to use the SDK 10.8 or earlier for building VeraCrypt. - - - -III. FreeBSD and OpenSolaris -============================ - -FreeBSD and OpenSolaris are not yet supported. - - - -IV. Third-Party Developers (Contributors) -========================================= - -If you intend to implement a feature, please contact us first to make sure: - -1) That the feature has not been implemented (we may have already implemented - it, but haven't released the code yet). -2) That the feature is acceptable. -3) Whether we need help of third-party developers with implementing the feature. - -Information on how to contact us can be found at: -https://veracrypt.codeplex.com/ - - - -V. Legal Information -==================== - -Copyright Information ---------------------- - -This software as a whole: -Copyright (c) 2013-2015 IDRIX. All rights reserved. - -Portions of this software: -Copyright (c) 2003-2012 TrueCrypt Developers Association. All rights reserved. -Copyright (c) 1998-2000 Paul Le Roux. All rights reserved. -Copyright (c) 1998-2008 Brian Gladman, Worcester, UK. All rights reserved. -Copyright (c) 2002-2004 Mark Adler. All rights reserved. -For more information, please see the legal notices attached to parts of the -source code. - -Trademark Information ---------------------- - -Any trademarks contained in the source code, binaries, and/or in the -documentation, are the sole property of their respective owners. - - - -VI. Further Information -======================= - -http://www.veracrypt.fr - +This archive contains the source code of VeraCrypt.
+It is based on original TrueCrypt 7.1a with security enhancements and modifications.
+
+
+Important
+=========
+
+You may use the source code contained in this archive only if you accept and
+agree to the license terms contained in the file 'License.txt', which is
+included in this archive.
+
+Note that the license specifies, for example, that a derived work must not be
+called 'TrueCrypt' or 'VeraCrypt'
+
+
+
+Contents
+========
+
+I. Windows
+ Requirements for Building VeraCrypt for Windows
+ Instructions for Building VeraCrypt for Windows
+ Instructions for Signing and Packaging VeraCrypt for Windows
+
+II. Linux and Mac OS X
+ Requirements for Building VeraCrypt for Linux and Mac OS X
+ Instructions for Building VeraCrypt for Linux and Mac OS X
+ Mac OS X specifics
+
+III. FreeBSD and OpenSolaris
+
+IV. Third-Party Developers (Contributors)
+
+V. Legal Information
+
+VI. Further Information
+
+
+
+I. Windows
+==========
+
+Requirements for Building VeraCrypt for Windows:
+------------------------------------------------
+
+- Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible)
+- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads)
+- Microsoft Windows SDK for Windows 7 (configured for Visual C++)
+- Microsoft Windows SDK for Windows 8.1 (needed for SHA-256 code signing)
+- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1)
+- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
+ header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20)
+- NASM assembler 2.08 or compatible
+- gzip compressor
+- upx packer (available at http://upx.sourceforge.net/)
+
+IMPORTANT:
+
+The 64-bit editions of Windows Vista and later versions of Windows, and in
+some cases (e.g. playback of HD DVD content) also the 32-bit editions, do not
+allow the VeraCrypt driver to run without an appropriate digital signature.
+Therefore, all .sys files in official VeraCrypt binary packages are digitally
+signed with the digital certificate of the IDRIX, which was
+issued by Thawte certification authority. At the end of each official .exe and
+.sys file, there are embedded digital signatures and all related certificates
+(i.e. all certificates in the relevant certification chain, such as the
+certification authority certificates, CA-MS cross-certificate, and the
+IDRIX certificate).
+Keep this in mind if you compile VeraCrypt
+and compare your binaries with the official binaries. If your binaries are
+unsigned, the sizes of the official binaries will usually be approximately
+10 KB greater than sizes of your binaries (there may be further differences
+if you use a different version of the compiler, or if you install a different
+or no service pack for Visual Studio, or different hotfixes for it, or if you
+use different versions of the required SDKs).
+
+
+Instructions for Building VeraCrypt for Windows:
+------------------------------------------------
+
+1) Create an environment variable 'MSVC16_ROOT' pointing to the folder 'MSVC15'
+ extracted from the Visual C++ 1.52 self-extracting package.
+
+ Note: The 16-bit installer MSVC15\SETUP.EXE cannot be run on 64-bit Windows,
+ but it is actually not necessary to run it. You only need to extract the
+ folder 'MSVC15', which contains the 32-bit binaries required to build the
+ VeraCrypt Boot Loader.
+
+2) If you have installed the Windows Driver Development Kit in another
+ directory than '%SYSTEMDRIVE%\WinDDK', create an environment variable
+ 'WINDDK_ROOT' pointing to the DDK installation directory.
+
+3) Copy the PKCS #11 header files to a standard include path or create an
+ environment variable 'PKCS11_INC' pointing to the directory where
+ the PKCS #11 header files are installed.
+
+4) Open the solution file 'VeraCrypt.sln' in Microsoft Visual Studio 2008.
+
+5) Select 'All' as the active solution configuration.
+
+6) Build the solution.
+
+7) If successful, there should be newly built VeraCrypt binaries in the
+ 'Release' folder.
+
+Instructions for Signing and Packaging VeraCrypt for Windows:
+-------------------------------------------------------------
+
+First, create an environment variable 'WSDK81' pointing to the Windows SDK
+for Windows 8.1 installation directory.
+The folder "Signing" contains a batch file (sign.bat) that will sign all
+VeraCrypt components using a code signing certificate present on the
+certificate store and also build the final installation setup.
+The batch file suppose that the code signing certificate is issued by Thawt.
+This is the case for IDRIX's certificate. If yours is issued by another CA,
+then you should put the Root and Intermediate certificates in the "Signing"
+folder and then modify sign.bat accordingly.
+
+
+II. Linux and Mac OS X
+======================
+
+Requirements for Building VeraCrypt for Linux and Mac OS X:
+-----------------------------------------------------------
+
+- GNU Make
+- GNU C++ Compiler 4.0 or compatible
+- Apple Xcode (Mac OS X only)
+- NASM assembler 2.08 or compatible (x86/x64 architecture only)
+- pkg-config
+- makeself (Linux only)
+- wxWidgets 3.0 shared library and header files installed or
+ wxWidgets 3.0 library source code (available at http://www.wxwidgets.org)
+- FUSE library and header files (available at http://fuse.sourceforge.net
+ and https://osxfuse.github.io/)
+- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
+ header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20).
+ They are already included in the source tree under the directory PKCS11 but
+ it is possible to override it using the environment variable 'PKCS11_INC'.
+
+
+Instructions for Building VeraCrypt for Linux and Mac OS X:
+-----------------------------------------------------------
+
+1) Change the current directory to the root of the VeraCrypt source code.
+
+2) If you have no wxWidgets shared library installed, run the following
+ command to configure the wxWidgets static library for VeraCrypt and to
+ build it:
+
+ $ make WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
+
+ The variable WX_ROOT must point to the location of the source code of the
+ wxWidgets library. Output files will be placed in the './wxrelease/'
+ directory.
+
+3) To build VeraCrypt, run the following command:
+
+ $ make
+
+ or if you have no wxWidgets shared library installed:
+
+ $ make WXSTATIC=1
+
+4) If successful, the VeraCrypt executable should be located in the directory
+ 'Main'.
+
+By default, a universal executable supporting both graphical and text user
+interface (through the switch --text) is built.
+On Linux, a console-only executable, which requires no GUI library, can be
+built using the 'NOGUI' parameter:
+
+ $ make NOGUI=1 WXSTATIC=1 WX_ROOT=/usr/src/wxWidgets wxbuild
+ $ make NOGUI=1 WXSTATIC=1
+
+On MacOSX, building a console-only executable is not supported.
+
+Mac OS X specifics:
+-----------------------------------------------------------
+
+Under MacOSX, the SDK for OSX 10.7 is used by default. To use another version
+of the SDK (i.e. 10.6), you can export the environment variable VC_OSX_TARGET:
+
+ $ export VC_OSX_TARGET=10.6
+
+
+Before building under MacOSX, pkg-config must be installed if not yet available.
+Get it from http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz and
+compile using the following commands :
+
+ $ ./configure --with-internal-glib
+ $ make
+ $ sudo make install
+
+After making sure pkg-config is available, download and install OSXFuse from
+https://osxfuse.github.io/ (MacFUSE compatibility layer must selected)
+
+The script build_veracrypt_macosx.sh available under "src/Build" performs the
+full build of VeraCrypt including the creation of the installer pkg. It expects
+to find the wxWidgets 3.0.2 sources at the same level as where you put
+VeraCrypt sources (i.e. if "src" path is "/Users/joe/Projects/VeraCrypt/src"
+then wxWidgets should be at "/Users/joe/Projects/wxWidgets-wxWidgets-3.0.2")
+
+The build process uses Code Signing certificates whose ID is specified in
+src/Main/Main.make (lines 167 & 169). You'll have to modify these lines to put
+the ID of your Code Signing certificates or comment them if you don't have one.
+
+Because of incompatibility issues with OSXFUSE, the SDK 10.9 generates a
+VeraCrypt binary that has issues communicating with the OSXFUSE kernel extension.
+Thus, we recommend to use the SDK 10.8 or earlier for building VeraCrypt.
+
+
+
+III. FreeBSD and OpenSolaris
+============================
+
+FreeBSD and OpenSolaris are not yet supported.
+
+
+
+IV. Third-Party Developers (Contributors)
+=========================================
+
+If you intend to implement a feature, please contact us first to make sure:
+
+1) That the feature has not been implemented (we may have already implemented
+ it, but haven't released the code yet).
+2) That the feature is acceptable.
+3) Whether we need help of third-party developers with implementing the feature.
+
+Information on how to contact us can be found at:
+https://veracrypt.codeplex.com/
+
+
+
+V. Legal Information
+====================
+
+Copyright Information
+---------------------
+
+This software as a whole:
+Copyright (c) 2013-2015 IDRIX. All rights reserved.
+
+Portions of this software:
+Copyright (c) 2003-2012 TrueCrypt Developers Association. All rights reserved.
+Copyright (c) 1998-2000 Paul Le Roux. All rights reserved.
+Copyright (c) 1998-2008 Brian Gladman, Worcester, UK. All rights reserved.
+Copyright (c) 2002-2004 Mark Adler. All rights reserved.
+For more information, please see the legal notices attached to parts of the
+source code.
+
+Trademark Information
+---------------------
+
+Any trademarks contained in the source code, binaries, and/or in the
+documentation, are the sole property of their respective owners.
+
+
+
+VI. Further Information
+=======================
+
+http://www.veracrypt.fr
diff --git a/src/Readme.txt b/src/Readme.txt index 3e33b570..7b1fe67e 100644 --- a/src/Readme.txt +++ b/src/Readme.txt @@ -46,6 +46,7 @@ Requirements for Building VeraCrypt for Windows: - Microsoft Visual C++ 2008 SP1 (Professional Edition or compatible)
- Microsoft Visual C++ 1.52 (available from MSDN Subscriber Downloads)
- Microsoft Windows SDK for Windows 7 (configured for Visual C++)
+- Microsoft Windows SDK for Windows 8.1 (needed for SHA-256 code signing)
- Microsoft Windows Driver Kit 7.1.0 (build 7600.16385.1)
- RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) 2.20
header files (available at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20)
@@ -105,6 +106,8 @@ Instructions for Building VeraCrypt for Windows: Instructions for Signing and Packaging VeraCrypt for Windows:
-------------------------------------------------------------
+First, create an environment variable 'WSDK81' pointing to the Windows SDK
+for Windows 8.1 installation directory.
The folder "Signing" contains a batch file (sign.bat) that will sign all
VeraCrypt components using a code signing certificate present on the
certificate store and also build the final installation setup.
diff --git a/src/Signing/sign.bat b/src/Signing/sign.bat index 5e19cd10..8c1e3920 100644 --- a/src/Signing/sign.bat +++ b/src/Signing/sign.bat @@ -1,15 +1,12 @@ -PATH=%PATH%;%DDK%\bin\x86
+PATH=%PATH%;%WSDK81%\bin\x86
-signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys"
-signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt-x64.sys"
+rem sign using SHA-1
+signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys"
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander.exe"
-
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format-x64.exe"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander-x64.exe"
+rem sign using SHA-256
+signtool sign /v /a /n IDRIX /ac thawte_Primary_MS_Cross_Cert.cer /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys"
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
cd "..\Release\Setup Files\"
@@ -21,6 +18,9 @@ del *.xml cd "..\..\Signing"
-signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-1
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-256
+signtool sign /v /a /n IDRIX /ac Thawt_CodeSigning_CA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
-pause
\ No newline at end of file +pause
diff --git a/src/Signing/sign_test.bat b/src/Signing/sign_test.bat index d81aac99..c36f0536 100644 --- a/src/Signing/sign_test.bat +++ b/src/Signing/sign_test.bat @@ -1,18 +1,13 @@ -PATH=%PATH%;%DDK%\bin\x86
+PATH=%PATH%;%WSDK81%\bin\x86
set PFXNAME=TestCertificate\idrix_codeSign.pfx
set PFXPASSWORD=idrix
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt-x64.sys"
+rem sign using SHA-1
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander.exe"
-
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptx-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Format-x64.exe"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCryptExpander-x64.exe"
+rem sign using SHA-256
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe"
cd "..\Release\Setup Files\"
@@ -24,6 +19,10 @@ del *.xml cd "..\..\Signing"
-signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+rem sign using SHA-1
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
+
+rem sign using SHA-256
+signtool sign /v /a /f %PFXNAME% /p %PFXPASSWORD% /ac TestCertificate\idrix_TestRootCA.crt /as /fd sha256 /tr http://timestamp.geotrust.com/tsa "..\Release\Setup Files\VeraCrypt Setup 1.16.exe"
pause
\ No newline at end of file |