diff --git a/contrib/windows/TestCert/README.md b/contrib/windows/TestCert/README.md new file mode 100644 index 000000000000..64fbf0e7dd14 --- /dev/null +++ b/contrib/windows/TestCert/README.md @@ -0,0 +1,15 @@ +### Development +- Install OpenZFS test certificate + - Install `test_sign_cert_nopass.pfx` (password: ) + - Certificate should be installed into + 1. "Personal" in "Current User" + +### Target +- Install OpenZFS test certificate + - Install `test_sign_cert_nopass.pfx` (password: ) + - Certificate should be installed into + 1. "Trusted Root Certification Authority" in "Local Computer" (not current user) *and* + 2. "Trusted Publishers" in "Local Computer" (not current user) +- Enable test signing + - `> bcdedit.exe /set TESTSIGNING ON` + - reboot the system to apply diff --git a/contrib/windows/TestCert/create_test_sign_cert.ps1 b/contrib/windows/TestCert/create_test_sign_cert.ps1 new file mode 100644 index 000000000000..87ddb232f40a --- /dev/null +++ b/contrib/windows/TestCert/create_test_sign_cert.ps1 @@ -0,0 +1,28 @@ +#cert stores +#cert:\localmachine\my +#Cert:\CurrentUser\My + +#config +$plaintextpwd = 'password1234' +$subject = "OpenZFS Test Signing Certificate" +$filename = 'test_sign_cert' +#$dirname = 'c:\' +$dirname = '' +$yearsvalid = 3 + +#generate +$date_now = Get-Date +$extended_date = $date_now.AddYears($yearsvalid) +$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject $subject -notafter $extended_date + +#export with password +$filepathpass = $dirname + $filename + '_pass.pfx' +$pwd = ConvertTo-SecureString -String $plaintextpwd -Force -AsPlainText +$path = 'cert:\CurrentUser\My\' + $cert.thumbprint +Export-PfxCertificate -cert $path -FilePath $filepathpass -Password $pwd + +#export "without" password +$filepathnopass = $dirname + $filename + '_nopass.pfx' +$passin = 'pass:' + $plaintextpwd +&"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in $filepathpass -nodes -noenc -passin $passin | &"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -keypbe NONE -certpbe NONE -noenc -nomaciter -noiter -nomac -passout pass: -out $filepathnopass + diff --git a/contrib/windows/TestCert/test_sign_cert_nopass.pfx b/contrib/windows/TestCert/test_sign_cert_nopass.pfx new file mode 100644 index 000000000000..9f2bd19af368 Binary files /dev/null and b/contrib/windows/TestCert/test_sign_cert_nopass.pfx differ diff --git a/contrib/windows/TestCert/test_sign_cert_pass.pfx b/contrib/windows/TestCert/test_sign_cert_pass.pfx new file mode 100644 index 000000000000..e789e3b376a6 Binary files /dev/null and b/contrib/windows/TestCert/test_sign_cert_pass.pfx differ diff --git a/module/CMakeLists.txt b/module/CMakeLists.txt index a00be4ac6d73..0864093ccea4 100644 --- a/module/CMakeLists.txt +++ b/module/CMakeLists.txt @@ -33,10 +33,10 @@ if (NOT "${ZFSIN_SIGNTOOL_CERTSTORE}") set(ZFSIN_SIGNTOOL_CERTSTORE PrivateCertStore CACHE STRING "Name of the certificate store (PrivateCertStore) that contains the test certificate.") endif() if (NOT "${ZFSIN_SIGNTOOL_CERTNAME}") - set(ZFSIN_SIGNTOOL_CERTNAME "Contoso.com(Test)" CACHE STRING "Name of the certificate (Contoso.com(Test)) that is installed in the specified certificate store.") + set(ZFSIN_SIGNTOOL_CERTNAME "OpenZFS Test Signing Certificate" CACHE STRING "Name of the certificate (OpenZFS Test Signing Certificate) that is installed in the specified certificate store.") endif() if (NOT "${ZFSIN_SIGNTOOL_SHA1}") - set(ZFSIN_SIGNTOOL_SHA1 "7FAC1AF0A39DF0D2AB9F92D6A544ECECD791D7AB" CACHE STRING "SHA1 of the certificate.") + set(ZFSIN_SIGNTOOL_SHA1 "e96bb80ace0b559239c89a425ba0b58d5590fdb3" CACHE STRING "SHA1 of the certificate.") endif() if (NOT "${ZFSIN_SIGNTOOL_TSA}") set(ZFSIN_SIGNTOOL_TSA "http://timestamp.digicert.com" CACHE STRING "Specifies URL of the TSA (http://timestamp.digicert.com) which will time stamp the digital signature.")