All of lore.kernel.org
 help / color / mirror / Atom feed
* MSIs and WDAC
@ 2021-06-10 16:20 Alex Sivchev
  0 siblings, 0 replies; only message in thread
From: Alex Sivchev @ 2021-06-10 16:20 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 465 bytes --]

Hi,

The MSIs' customactions.dll is unsigned and therefore only Hash or
FileName rules [1] can be used to allow it in WDAC policies. Can it be
signed like the rest so that more reasonable and update-proof policies
could be created?

A patch is attached.

Regards,
Alex

[1] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels

[-- Attachment #2: installer-build-sign.patch --]
[-- Type: text/x-patch, Size: 1592 bytes --]

diff --git a/installer/build.bat b/installer/build.bat
index c9da9c91..dff90972 100644
--- a/installer/build.bat
+++ b/installer/build.bat
@@ -40,11 +40,6 @@ if exist .deps\prepared goto :build
 	call :msi amd64 x86_64 x64 || goto :error
 	call :msi arm armv7 arm || goto :error
 	call :msi arm64 aarch64 arm64 || goto :error
-	if exist ..\sign.bat call ..\sign.bat
-	if "%SigningCertificate%"=="" goto :success
-	if "%TimestampServer%"=="" goto :success
-	echo [+] Signing
-	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error
 
 :success
 	echo [+] Success.
@@ -63,8 +58,18 @@ if exist .deps\prepared goto :build
 	echo [+] Compiling %1
 	%CC% %CFLAGS% %LDFLAGS% -o "%~1\customactions.dll" customactions.c %LDLIBS% || exit /b 1
 	"%WIX%bin\candle" %WIX_CANDLE_FLAGS% -dWIREGUARD_PLATFORM="%~1" -out "%~1\wireguard.wixobj" -arch %3 wireguard.wxs || exit /b %errorlevel%
+	call :sign %~1\customactions.dll || goto :error
 	echo [+] Linking %1
 	"%WIX%bin\light" %WIX_LIGHT_FLAGS% -out "dist\wireguard-%~1-%WIREGUARD_VERSION%.msi" "%~1\wireguard.wixobj" || exit /b %errorlevel%
+	call :sign dist\wireguard-%~1-%WIREGUARD_VERSION%.msi || goto :error
+	goto :eof
+
+:sign
+	if exist ..\sign.bat call ..\sign.bat
+	if "%SigningCertificate%"=="" goto :eof
+	if "%TimestampServer%"=="" goto :eof
+	echo [+] Signing %1
+	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "%~1" || exit /b %errorlevel%
 	goto :eof
 
 :error

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-06-10 22:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-10 16:20 MSIs and WDAC Alex Sivchev

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.