Codesign

From OpenZFS on OS X
Revision as of 05:38, 23 April 2019 by Lundman (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Codesign[edit]

Problem[edit]

When users want to try a build I make, they have to change Windows into "Test Mode". Which requires a reboot, and potential other issues a novice Windows users might not be aware of.

Desired Outcome[edit]

Have users to able to install a release I make without needing to reboot / change to "Test Mode".

If you are to use ZFS, you should probably use x64. So that is the main focus.

Latest Windows is 10 (at the time of this document) so it should support Win 10 x64 at least, since that is presumably the direction Microsoft is taking Windows, and any requirements here will be true for future versions of Windows.

Support of older Windows builds would be nice - At least, Windows Server, Win 8, Vista?


Assumptions[edit]

  • To avoid Test Mode, the Driver (kernel component) has to be codesigned.

(Is this the correct assumption? It is not entirely clear - I don't mind the Smartscreen warning, or having to click "trust this anyway" as long as it can be done without Test Mode and reboot.)


  • To codesign Win10 x64 I must first get EV certificate, it can not be Standard.

| get a code signing certificate


  • DigiCert had me show 2 IDs, 2 Skype video calls to fill in forms together, but I must also have a Registered Company. (Not non-profit, nor Organization - they check with Government)

(Because of IDs and valid address, I then have to register in Japan.)


  • To register a company costs about $13,000.

Juridique Healy

Update[edit]

I have been informed [1] that the EV certification requirement is only in regards to Secure Boot. A "Class 3 Code-Signing Certificate" is sufficient for Win10 x64 signing with Secure Boot disabled. This will do for now - if it works out.

I have obtained a Class 3 signing certificate, and produced a signed Installer.

For codesigning, I have DevStudio set to inf2cat stamp, and sign. With the extra commandline "/tr http://timestamp.digicert.com /td sha256 /fd sha256 ". I have set Inno Setup to codesign all *.exe and the final installer .exe. This workflow is acceptable.