diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2020-07-22 23:33:21 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2020-07-22 23:54:53 +0200 |
commit | b6b6710d2b055c703f86429b431c616f99cb4c85 (patch) | |
tree | 546bce253608d8ed4c9051dc1e95703be80e0598 /src | |
parent | c4a6269c8c384a7b8d4a362cac6a87a8a99b9b62 (diff) | |
download | VeraCrypt-b6b6710d2b055c703f86429b431c616f99cb4c85.tar.gz VeraCrypt-b6b6710d2b055c703f86429b431c616f99cb4c85.zip |
Windows: Add possibility to sign binaries using SHA256 only. This fixes Windows Smart Screen warning when launching installer
Diffstat (limited to 'src')
-rw-r--r-- | src/Common/Dlgcode.c | 14 | ||||
-rw-r--r-- | src/Signing/sign-sha256.bat | 62 |
2 files changed, 75 insertions, 1 deletions
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index 7a4f473e..0b9a7105 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -389,6 +389,16 @@ static unsigned char gpbSha1CodeSignCertFingerprint[64] = { 0xE9, 0x65, 0xA5, 0x61 }; +static unsigned char gpbSha256CodeSignCertFingerprint[64] = { + 0x88, 0x60, 0xC4, 0x26, 0x6D, 0x42, 0x59, 0x1B, 0xDF, 0x89, 0x0F, 0x1A, + 0x2F, 0x70, 0x8D, 0xBB, 0xC0, 0xF0, 0x03, 0x1F, 0x37, 0x11, 0xF9, 0x24, + 0x78, 0xDF, 0xD3, 0x60, 0xFB, 0xF3, 0xDC, 0xCA, 0x0D, 0x95, 0x06, 0x6A, + 0x5E, 0xAD, 0x5C, 0xA3, 0x3E, 0x75, 0x55, 0x96, 0x7B, 0xD1, 0x0D, 0xC1, + 0x00, 0xFE, 0xA0, 0x95, 0x13, 0x23, 0x20, 0x63, 0x26, 0x57, 0xFA, 0x6C, + 0xE4, 0x27, 0xF8, 0x36 +}; + + typedef HRESULT (WINAPI *SHGETKNOWNFOLDERPATH) ( _In_ REFKNOWNFOLDERID rfid, _In_ DWORD dwFlags, @@ -13891,7 +13901,9 @@ BOOL VerifyModuleSignature (const wchar_t* path) BYTE hashVal[64]; sha512 (hashVal, pProviderCert->pCert->pbCertEncoded, pProviderCert->pCert->cbCertEncoded); - if (0 == memcmp (hashVal, gpbSha1CodeSignCertFingerprint, 64)) + if ( (0 == memcmp (hashVal, gpbSha1CodeSignCertFingerprint, 64)) + || (0 == memcmp (hashVal, gpbSha256CodeSignCertFingerprint, 64)) + ) { bResult = TRUE; } diff --git a/src/Signing/sign-sha256.bat b/src/Signing/sign-sha256.bat new file mode 100644 index 00000000..ed01f38a --- /dev/null +++ b/src/Signing/sign-sha256.bat @@ -0,0 +1,62 @@ +PATH=%PATH%;%WSDK81%\bin\x86;C:\Program Files\7-Zip;C:\Program Files (x86)\7-Zip + +set VC_VERSION=1.24-Update7 +set SIGNINGPATH=%~dp0 +cd %SIGNINGPATH% + +call "..\..\doc\chm\create_chm.bat" + +cd %SIGNINGPATH% + +rem sign using SHA-1 +signtool sign /v /sha1 85aa2e55cfb9c38fe474c58b38e9521450cd9306 /ac DigiCert_Assured_ID_MS_Cross_Cert.crt /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" + +timeout /t 10 + +rem sign using SHA-256 +signtool sign /v /sha1 04141E4EA6D9343CEC994F6C099DC09BDD8937C9 /ac GlobalSign_R3Cross.cer /as /fd sha256 /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 "..\Release\Setup Files\veracrypt.sys" "..\Release\Setup Files\veracrypt-x64.sys" +signtool sign /v /sha1 04141E4EA6D9343CEC994F6C099DC09BDD8937C9 /ac GlobalSign_SHA256_EV_CodeSigning_CA.cer /fd sha256 /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 "..\Release\Setup Files\VeraCrypt.exe" "..\Release\Setup Files\VeraCrypt Format.exe" "..\Release\Setup Files\VeraCryptExpander.exe" "..\Release\Setup Files\VeraCrypt-x64.exe" "..\Release\Setup Files\VeraCrypt Format-x64.exe" "..\Release\Setup Files\VeraCryptExpander-x64.exe" + + +cd "..\Release\Setup Files\" + +copy ..\..\LICENSE . +copy ..\..\License.txt . +copy ..\..\NOTICE . + +del *.xml +rmdir /S /Q Languages +mkdir Languages +copy /V /Y ..\..\..\Translations\*.xml Languages\. +del Languages.zip +7z a -y Languages.zip Languages + +rmdir /S /Q docs +mkdir docs\html\en +mkdir docs\EFI-DCS +copy /V /Y ..\..\..\doc\html\* docs\html\en\. +copy "..\..\..\doc\chm\VeraCrypt User Guide.chm" docs\. +copy "..\..\..\doc\EFI-DCS\*.pdf" docs\EFI-DCS\. + +del docs.zip +7z a -y docs.zip docs + +"VeraCrypt Setup.exe" /p +"VeraCrypt Portable.exe" /p + +del LICENSE +del License.txt +del NOTICE +del "VeraCrypt User Guide.chm" + +del Languages.zip +del docs.zip +rmdir /S /Q Languages +rmdir /S /Q docs + +cd %SIGNINGPATH% + +rem sign using SHA-256 +signtool sign /v /sha1 04141E4EA6D9343CEC994F6C099DC09BDD8937C9 /ac GlobalSign_SHA256_EV_CodeSigning_CA.cer /fd sha256 /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 "..\Release\Setup Files\VeraCrypt Setup %VC_VERSION%.exe" "..\Release\Setup Files\VeraCrypt Portable %VC_VERSION%.exe" + +pause |