Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: automatically install test-certificate and validate they are installed on LocalMachine for signtool-verify tasks #232

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open
1 change: 1 addition & 0 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ env:
RUSTFLAGS: >-
-D warnings
-C target-feature=+crt-static
WDK_BUILD_ENABLE_SIGNTOOL_VERIFY: true

jobs:
build:
Expand Down
102 changes: 97 additions & 5 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,9 @@ quote = "1.0.36"
rustversion = "1.0.17"
serde = "1.0"
serde_json = "1.0"
sha2 = "0.10.8"
syn = "2.0.77"
tempfile = "3.11.0"
thiserror = "1.0.62"
tracing = "0.1.40"
tracing-subscriber = "0.3.18"
Expand Down
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -212,9 +212,11 @@ To display help and see the full list of supported CLI args to forward to Cargo:

### Driver Package Signature Verification

The `WDK_BUILD_ENABLE_SIGNTOOL_VERIFY` [cargo-make environment variable](https://github.com/sagiegurari/cargo-make?tab=readme-ov-file#environment-variables) can be set to `true` to enable tasks that handle signature verification of the generated `.sys` and `.cat` files. `signtool verify` requires the certificate to be installed as in the `Trusted Root Certification Authorities` for this verification to function. These tasks are not enabled by default as the default behavior of `WDR` is to sign with a generated test certificate. These test certificates are typically only installed into `Trusted Root Certification Authorities` on computers dedicated to testing drivers, and not personal development machines, given the security implications of installing your own root certificates.
The `WDK_BUILD_ENABLE_SIGNTOOL_VERIFY` [cargo-make environment variable](https://github.com/sagiegurari/cargo-make?tab=readme-ov-file#environment-variables) can be set to `true` to enable tasks that handle signature verification of the generated `.sys` and `.cat` files. If the test cert is not installed in `Trusted Root Certification Authorities` and `Trusted Publishers` stores on `Local Machine`, these tasks will also run the `install-certificate` task.

If you understand these implications, and have installed the test certificate, then you may validate the signatures as follows:
These tasks are not enabled by default as the default behavior of `WDR` is to sign with a generated test certificate. These test certificates are typically only installed into `Trusted Root Certification Authorities` on computers dedicated to testing drivers, and not personal development machines, given the security implications of installing your own root certificates.

If you understand these implications, and have installed the test certificate, then you may install the certificates and validate the signatures as follows:

```
cargo make --env WDK_BUILD_ENABLE_SIGNTOOL_VERIFY=true
Expand Down
4 changes: 4 additions & 0 deletions crates/wdk-build/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,15 @@ paste.workspace = true
rustversion.workspace = true
serde = { workspace = true, features = ["derive"] }
serde_json.workspace = true
sha2.workspace = true
tempfile.workspace = true
thiserror.workspace = true
tracing.workspace = true
windows = { workspace = true, features = [
"Win32_Foundation",
"Win32_Security",
"Win32_System_Registry",
"Win32_System_SystemServices",
] }

[dev-dependencies]
Expand Down
51 changes: 51 additions & 0 deletions crates/wdk-build/rust-driver-makefile.toml
Original file line number Diff line number Diff line change
Expand Up @@ -433,6 +433,56 @@ args = [
"${WDK_BUILD_OUTPUT_DIRECTORY}/WDRLocalTestCert.cer",
]

[tasks.install-certificate]
private = true
description = "Installs the WDRLocalTestCert certificate to the Trusted Root Certificate Authorities and Trusted Publishers stores (Local Machine)."
dependencies = ["generate-certificate"]
script_runner = "@rust"
condition_script_runner_args = [
"--base-path",
"${CARGO_MAKE_CURRENT_TASK_INITIAL_MAKEFILE_DIRECTORY}",
]
condition_script = '''
//! ```cargo
//! [dependencies]
//! wdk-build = { path = ".", version = "0.3.0" }
//! ```
#![allow(unused_doc_comments)]

wdk_build::cargo_make::install_certificate_condition_script()?
'''
script_runner_args = [
"--base-path",
"${CARGO_MAKE_CURRENT_TASK_INITIAL_MAKEFILE_DIRECTORY}",
]
script = '''
//! ```cargo
//! [dependencies]
//! wdk-build = { path = ".", version = "0.3.0" }
//! ```
#![allow(unused_doc_comments)]

wdk_build::cargo_make::install_certificate()?
'''

[tasks.validate-certificate-installed]
private = true
description = "Validates that the WDRLocalTestCert certificate is installed in the Trusted Root Certificate Authorities and Trusted Publishers stores (Local Machine)."
script_runner = "@rust"
script_runner_args = [
"--base-path",
"${CARGO_MAKE_CURRENT_TASK_INITIAL_MAKEFILE_DIRECTORY}",
]
script = '''
//! ```cargo
//! [dependencies]
//! wdk-build = { path = ".", version = "0.3.0" }
//! ```
#![allow(unused_doc_comments)]

wdk_build::cargo_make::validate_certificate_installed()?
'''

[tasks.copy-certificate-to-package]
private = true
dependencies = ["generate-certificate"]
Expand Down Expand Up @@ -485,6 +535,7 @@ run_task = "signtool-sign"

[tasks.signtool-verify]
private = true
dependencies = ["install-certificate", "validate-certificate-installed"]
condition = { env_true = ["WDK_BUILD_ENABLE_SIGNTOOL_VERIFY"] }
command = "signtool"
args = ["verify", "/v", "/pa", "${WDK_BUILD_SIGNTOOL_VERIFY_INPUT_FILE}"]
Expand Down
Loading
Loading