From: Alex Sivchev <enn00th@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: MSIs and WDAC
Date: Thu, 10 Jun 2021 19:20:51 +0300 [thread overview]
Message-ID: <CAGb0AfPBZ2LACmXrgFKd_aeUHW-WMCty3f10tHyhQO19nOfO5Q@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 465 bytes --]
Hi,
The MSIs' customactions.dll is unsigned and therefore only Hash or
FileName rules [1] can be used to allow it in WDAC policies. Can it be
signed like the rest so that more reasonable and update-proof policies
could be created?
A patch is attached.
Regards,
Alex
[1] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels
[-- Attachment #2: installer-build-sign.patch --]
[-- Type: text/x-patch, Size: 1592 bytes --]
diff --git a/installer/build.bat b/installer/build.bat
index c9da9c91..dff90972 100644
--- a/installer/build.bat
+++ b/installer/build.bat
@@ -40,11 +40,6 @@ if exist .deps\prepared goto :build
call :msi amd64 x86_64 x64 || goto :error
call :msi arm armv7 arm || goto :error
call :msi arm64 aarch64 arm64 || goto :error
- if exist ..\sign.bat call ..\sign.bat
- if "%SigningCertificate%"=="" goto :success
- if "%TimestampServer%"=="" goto :success
- echo [+] Signing
- signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error
:success
echo [+] Success.
@@ -63,8 +58,18 @@ if exist .deps\prepared goto :build
echo [+] Compiling %1
%CC% %CFLAGS% %LDFLAGS% -o "%~1\customactions.dll" customactions.c %LDLIBS% || exit /b 1
"%WIX%bin\candle" %WIX_CANDLE_FLAGS% -dWIREGUARD_PLATFORM="%~1" -out "%~1\wireguard.wixobj" -arch %3 wireguard.wxs || exit /b %errorlevel%
+ call :sign %~1\customactions.dll || goto :error
echo [+] Linking %1
"%WIX%bin\light" %WIX_LIGHT_FLAGS% -out "dist\wireguard-%~1-%WIREGUARD_VERSION%.msi" "%~1\wireguard.wixobj" || exit /b %errorlevel%
+ call :sign dist\wireguard-%~1-%WIREGUARD_VERSION%.msi || goto :error
+ goto :eof
+
+:sign
+ if exist ..\sign.bat call ..\sign.bat
+ if "%SigningCertificate%"=="" goto :eof
+ if "%TimestampServer%"=="" goto :eof
+ echo [+] Signing %1
+ signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "%~1" || exit /b %errorlevel%
goto :eof
:error
reply other threads:[~2021-06-10 22:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGb0AfPBZ2LACmXrgFKd_aeUHW-WMCty3f10tHyhQO19nOfO5Q@mail.gmail.com \
--to=enn00th@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).