From 9ce0b2f9a54f60669d8bfad1b5ce38a2457cab08 Mon Sep 17 00:00:00 2001 From: Andrew Innes Date: Wed, 20 Jul 2022 08:21:38 +0800 Subject: [PATCH] Default test sign certificates (#105) * Script for creating certificates A powershell script that creates a new code signing certificate and exports it to the current directory, with and without a password. * Add pre-generated signing certificates Signing certificates to enable development builds to be used with less hassle. This should not be considered a secret, and it puts at risk any computer that trusts the certificate. * Use the new repository test cert Change the CMake defaults to use the new test certificate that is included in the repository for signing the driver and command line utilities. * Instructions to install test certs Added instructions to install the test signing certificates on the development and target computers. --- contrib/windows/TestCert/README.md | 15 ++++++++++ .../TestCert/create_test_sign_cert.ps1 | 28 ++++++++++++++++++ .../TestCert/test_sign_cert_nopass.pfx | Bin 0 -> 2259 bytes .../windows/TestCert/test_sign_cert_pass.pfx | Bin 0 -> 2646 bytes module/CMakeLists.txt | 4 +-- 5 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 contrib/windows/TestCert/README.md create mode 100644 contrib/windows/TestCert/create_test_sign_cert.ps1 create mode 100644 contrib/windows/TestCert/test_sign_cert_nopass.pfx create mode 100644 contrib/windows/TestCert/test_sign_cert_pass.pfx diff --git a/contrib/windows/TestCert/README.md b/contrib/windows/TestCert/README.md new file mode 100644 index 000000000000..64fbf0e7dd14 --- /dev/null +++ b/contrib/windows/TestCert/README.md @@ -0,0 +1,15 @@ +### Development +- Install OpenZFS test certificate + - Install `test_sign_cert_nopass.pfx` (password: ) + - Certificate should be installed into + 1. "Personal" in "Current User" + +### Target +- Install OpenZFS test certificate + - Install `test_sign_cert_nopass.pfx` (password: ) + - Certificate should be installed into + 1. "Trusted Root Certification Authority" in "Local Computer" (not current user) *and* + 2. "Trusted Publishers" in "Local Computer" (not current user) +- Enable test signing + - `> bcdedit.exe /set TESTSIGNING ON` + - reboot the system to apply diff --git a/contrib/windows/TestCert/create_test_sign_cert.ps1 b/contrib/windows/TestCert/create_test_sign_cert.ps1 new file mode 100644 index 000000000000..87ddb232f40a --- /dev/null +++ b/contrib/windows/TestCert/create_test_sign_cert.ps1 @@ -0,0 +1,28 @@ +#cert stores +#cert:\localmachine\my +#Cert:\CurrentUser\My + +#config +$plaintextpwd = 'password1234' +$subject = "OpenZFS Test Signing Certificate" +$filename = 'test_sign_cert' +#$dirname = 'c:\' +$dirname = '' +$yearsvalid = 3 + +#generate +$date_now = Get-Date +$extended_date = $date_now.AddYears($yearsvalid) +$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject $subject -notafter $extended_date + +#export with password +$filepathpass = $dirname + $filename + '_pass.pfx' +$pwd = ConvertTo-SecureString -String $plaintextpwd -Force -AsPlainText +$path = 'cert:\CurrentUser\My\' + $cert.thumbprint +Export-PfxCertificate -cert $path -FilePath $filepathpass -Password $pwd + +#export "without" password +$filepathnopass = $dirname + $filename + '_nopass.pfx' +$passin = 'pass:' + $plaintextpwd +&"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in $filepathpass -nodes -noenc -passin $passin | &"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -keypbe NONE -certpbe NONE -noenc -nomaciter -noiter -nomac -passout pass: -out $filepathnopass + diff --git a/contrib/windows/TestCert/test_sign_cert_nopass.pfx b/contrib/windows/TestCert/test_sign_cert_nopass.pfx new file mode 100644 index 0000000000000000000000000000000000000000..9f2bd19af368da1d87b8766645ed33452c9170b2 GIT binary patch literal 2259 zcmeHHX*8T^7Ot-ribA2ZeJN|j{vl!sC1UMF&?pHZNLivpwVk1(`8pBA8oNkh-_6*A zSd$P-Y#kAM5F(l&Vi_uq{+#K_$^4u7Kj%I7$Mf9x-uIs8-ur?Ob{GkuKnUB*#3C1E z8nw?3Fax;|wiyj!8(_KygivY!;X*~BAru7D;jo1=;r@zZV+ByT5b8Wkl9^clB3XFh zTqq?tKn~_*KnTf^i$VfOB&Ud)tEA{@w|Ya9pRCfTPOTvOw?_aR1_8>e$buv$6a|f9 zBU<>l(d~_`i8gNj0Yqz054tDagJ|I97vSmcNp%Tu14a4RRaHR^_^5&^YMS;iRR0%L zIf4IMG6<0Pz8C<5KtTW=0YU&P5&{6kNcZZCQB6_37P&2>?xe#Z{9ape`lqar#u(Sx z;de8lEv&?bm3D$d&!}=&-z`^MtcGC;{)E6<AoQUi_W~0E}Xe|kq z87qgpuH#x|Y>v^rhxIb0EM{DU$+eZF<44zOSLl7QRwRG<_}1^m;z$&L01AvjLy!aRj|d(Bj?riok~sn-oM34*8_3Fp zm1hDl7-kd-6geR|(7b3Kfd$u`39FBZQ{CaOd%qObwA|sJ{$6Rg?Xc1S0{MD^XfJrW zeUi@+zZc>uxXsn;y}c@7fyOELuQ(?$oF(<{F3Ql76NCRACn|h>a^vV!H6nE{Zfvf( zMmG&0m5$#O=Fqh~=!r~LFnU84Z^9MQ7I?)V>q+^Pa&EbYomBiR9~o@ciJpGj(+ZuP zR@Bjutkjds$lAy`vw%Ns_o;23y84^``WV|rp|;fFdkGd|d1{8(z#!$BVN|hQn$Kr& z+n-F}`0y&mrE~6A_79CDw_QoEv9M<(R!VmEgZ`gq1AM9_`x&p7qqA)cjxORTLuBjB z>h~3Omr9IF;;51qHvN@XHH!RAh4dehOEcbP6HUBg7}?puVw>ThiZm$sZ5dd8P=Tde z^=e`r!cp#P^=6;Hn%fXhNjjyAYbQI4!Jr`w07B>^*bcs5OxTI;g2^@{fcRc< zc(&0Hx&-zVz@Gn4_rIqbRs!K6!M+|A>-sZxw7}ifXfWwCPwDQh=Q)~Etu{R^MLb=O z`~r>nD+LTDgnhdfM8aS%3sHpm;w+fa$&3*v+P#EvlPEiu#G4UAJS>9~{^)oMi8D#9 z2Ii;_noFvTj?@l;*n>imEWg~$Y)+nl{sE!*_JNne>SiEfTxq!|$?C%6ynEgV3fYv? zQk@u5)806U*%6;e^tc;M$_EbPc}NP@gQ~^bTZhh74HC?zH$Jz{#OJea)p)m;={yk{ z);zD1K4^bS3vzTYe3fC|bP%3Wk=RnEW@ffpHjVDJvut=C+%=fQ+E2RMc=q zGv_tjRfj#Vo1=%f9g&fdhzaW{Tf*eH(r+_cw9?{fJ=>se?oXZsDQ@EEL6sF6-;*vGq$KIxpe zmb*YW$WD9rFj+0>e!y%79#LdNmFErwZ=6jqTFnq*ZF;kEJhGbNHKoZnFOw-Xy||bv z=(IwgG`PJP!qs=>8pqC?r2aCVSdX5|&ZquJoqy$}kzUlohLrk|Um=2`|hN&HFv(pMqX z>*8UXM)L~#Z=tA>-B({zHJTR`SAUT|E-o%LAWTg?wtxpzF|L5Dr9SwPE z$1pqFbkUu?7%u6B(LMuRTZC3^ComD-;FdL?+#WjoRMEoc4SUNu+xFrF zdu1Jp(?*D0psJ?9dW@kU5owV1W9A?0^$jevyFHb^#Nf>6E;W8-#c3K5FaOJb@lWi* B(B}XE literal 0 HcmV?d00001 diff --git a/contrib/windows/TestCert/test_sign_cert_pass.pfx b/contrib/windows/TestCert/test_sign_cert_pass.pfx new file mode 100644 index 0000000000000000000000000000000000000000..e789e3b376a6e3dc221612dfed8d2a517a91703b GIT binary patch literal 2646 zcmZXUXIN9&8ikV(5_*v$mjFU&QiMZG0FfrWBTYKer4x-25R?dV1rZdKjx?!40OT0HYRtrt|E89t;O( z;i)g6cL4c<3>}1*7>dCWkXX zsTkFDYeS3r_#hDY02B`$XS5boUQwzG=FMV12zr>YCbCCzRDUT{IjaqyqU-d*FlEYj5_!~| z^*3zPrmkQJft{Rv-t;*3k1=DPQujy^TqiU{Y{#_Ydbq_C8WCn_)Z$grY@K>mzFlvS zm`Z8{?D7)j*3h@39q+1(pieY!5Q5a!nNB~lukmA$5-jLa89ruXrjRnGNUsH+4-C!} z>K-w3p*IfC`8m4!h?u2|i@CRW3)S-4nXrfv{icT6z9;BBE5FH^MGE>9xfi zD9BcF7k&MSIUTDST;APF_R+EWoi>Wj#)T!d2LyzvDd z{pNzq;7h5i_s0d$+2m@6 z>_6huD=I!J&xh$E4p6P}!UPl3?hEW*IMqb2mTJ&uthQRhbxlU!fZ?;-kNv;(gaoKI zsnrgb!r8TQg;uKSu|{YQPdc64Hw+z0AmJMJzCoziV($2naM-9(Wwqy46Xjho=$`4e zvi3#DBuT8H#I($*JkhHyG6toN>&|iniUO+qAJ^oyI7yvTlfVwq?clIRhSoEBYn-%? zk}vnt!#wQ7$TPRc*p1FGj(SIotCKj7WKIQ|wpB=D;?V6ZzVy6(ZOlZrJ^ial&n2us zDL71lJ7Gp7zzZSMbqG4}Akbv`Ydt@A$6cF?DJXCk-#FE;bnv#?m@@DhCZ^m}ca5@t zFs6#OZIPnesnUMth=~e$E&}*z*fnPD@qdoyvyH6IJpbd^{0FjaJ3eaF|3W!CYQm*K zG)`E7S=rVir6*V>0-rON4DoI`%IEcI8QQfeO}P0ch9s#0v!u?(H_QV^>`Eu%9(Utj=c%xsoJr9tUa#|i%%H4Y@=|u zMcEIPCB3Ms94%;}Szso~?%fL{J{Of*qc2;p;H#0zu$M!4UTtWZy#nnruybxXM31T9 zg>LWiBONr8aDz#u8cCeJWBRkC?XtI5B2o!A?vpfxd2G{~1`Aa7Gbv&dkN$ij1(rJ$og9S;nIIaGDF^_&-<-(G8 zab8_jU00riZU9@o;6N_jz!R7DY7c&N|sRY&E3K=z< z+jcZs)K!gl^UxX%2d~Yglxi5dfc-y^Rmz0N2y`Fh2D%0UKxmLVS<)a`kPFC}OweQw zkn3x|2!_@Ce@3bA|Tu~^?1b9G-ExW?WskL{Z!L|OO6 zCwlF}+bC>`-i;bR6Ta%~;bgF@)ax$^FzHOLa~jkm!=iEW<>WQy8{#4O#8#`~~g>;pP)t5y@_ ztR?=K^G)2G z5$=sfii*ghz#7+suBUtRem}ya_dg#JnaFP z7Mr|ZIcV91R(5Kg4C}Ki_YW-l+={Q9g5)6X&cQRH-{u$3vsN&JBpjb@Vf7|Asr5_FSY+QI`n)g<>Y83+)M8G4g{R4#yB3~I)FK2UAOcj)f@<}MPf{k_JBo8SXiQI$h ztkE5g2jA!9(x`s7h(eX+^32Pm5g4z2k7{DJOkU>yJcG3hFOUdkzQ3?GVI_L%Wi@2Y zCvW$|Vg=+8?GzZC?4pf*(3Q;)r(Kbj zxdxX_Lef2_6u6(N@r@L$EZ;Z1_9EQ`i81OCZmkUZDQ|?p)y}%9Xx<;48;K;yqkrc~ z1ve&HTCxY8A%{fwnii3D_uMLTl39+=l@E{i0Npfu(r6GDN;bGNaBYv z)*4l@ylQLk`XaZf+OVoM=$RI5!cjK)g#g}$sY~Vp*MTbl97ZX|Kmp-|vi5eoJ)Sj0 reBek7a6Jh2G%Vu8tUy`s$uZ>b>#h>~7a)@(Yb-B7n!WHpfAs$V%8IZR literal 0 HcmV?d00001 diff --git a/module/CMakeLists.txt b/module/CMakeLists.txt index a00be4ac6d73..0864093ccea4 100644 --- a/module/CMakeLists.txt +++ b/module/CMakeLists.txt @@ -33,10 +33,10 @@ if (NOT "${ZFSIN_SIGNTOOL_CERTSTORE}") set(ZFSIN_SIGNTOOL_CERTSTORE PrivateCertStore CACHE STRING "Name of the certificate store (PrivateCertStore) that contains the test certificate.") endif() if (NOT "${ZFSIN_SIGNTOOL_CERTNAME}") - set(ZFSIN_SIGNTOOL_CERTNAME "Contoso.com(Test)" CACHE STRING "Name of the certificate (Contoso.com(Test)) that is installed in the specified certificate store.") + set(ZFSIN_SIGNTOOL_CERTNAME "OpenZFS Test Signing Certificate" CACHE STRING "Name of the certificate (OpenZFS Test Signing Certificate) that is installed in the specified certificate store.") endif() if (NOT "${ZFSIN_SIGNTOOL_SHA1}") - set(ZFSIN_SIGNTOOL_SHA1 "7FAC1AF0A39DF0D2AB9F92D6A544ECECD791D7AB" CACHE STRING "SHA1 of the certificate.") + set(ZFSIN_SIGNTOOL_SHA1 "e96bb80ace0b559239c89a425ba0b58d5590fdb3" CACHE STRING "SHA1 of the certificate.") endif() if (NOT "${ZFSIN_SIGNTOOL_TSA}") set(ZFSIN_SIGNTOOL_TSA "http://timestamp.digicert.com" CACHE STRING "Specifies URL of the TSA (http://timestamp.digicert.com) which will time stamp the digital signature.")