[wix-users] [EXTERNAL] Re: new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

Anthony LaMark anthony at squadratechnologies.com
Wed Jun 14 07:30:16 PDT 2017 

Hi Tom,

I am very grateful for this information!

I want to thank you for the W10 conditional check.
This is what I think I am going to have to do to try to conditionally
install the device driver based on the OS.
If I can't get this to work, I am going to have to make multiple msi files
available for download...something that will confuse users and cause more
release process checks.

It is confusing to me why MS is choosing to not let you figure out the
version in a clean fashion.

Anyway, thanks again, I really appreciate it!

Anthony LaMark
squadra technologies
http://www.squadratechnologies.com
562.221.3079

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
Tom Brezinski
Sent: Wednesday, June 14, 2017 4:48 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] [EXTERNAL] Re: new Windows 10 version 1607 kernel
mode device driver requirements - HOWTO implement in WIX conditionally?

This is on my to-do list as well so I will chime in with what I know...

If you dual sign your driver with a SHA1 certificate and SHA256EV (yes you
have to buy two certs) and cross sign via the old cross signing certificates
method you will work on Windows 10 1607 as long as SecureBoot is not enabled
and it will also work on any older OS including Vista without any patches or
updates.  I also think it works for the moment on Server 2016 but probably
won't for long as they have said going forward Server 2016 will require that
drivers pass HLK tests.  This is what I'm doing right now; had a few grumpy
customers but it works.

Long term you have two options...
1. Attestation signing via the Windows Hardware Developer portal will get
you a driver that works on ONLY Windows 10.  In this case you will have to
condition your installer to install a different driver per OS.  This will
not work long term though if you need to support Server 2016.
2. Pass the HLK & HCK tests (potentially not easy) and get it signed via the
Windows Hardware Developer portal.  This gives you a driver that
(supposedly) works on all OSes including Server 2016.  Down side is if you
are like me and your driver is built on a framework from the late 90's it
does not have any hope of passing testing.

For conditional install on Win10 you cannot use VersionNT to determine if
you are on Windows 10 (thanks MS).  I found this check somewhere and use it
to condition my features:

<!-- VersionNT is not reliable to determine if OS is Win10 or not -->
<Property Id="WIN10FOUND">
  <DirectorySearch Id="searchSystemWin10" Path="[SystemFolder]" Depth="0">
    <FileSearch Id="searchFileWin10" Name="advapi32.dll"
MinVersion="6.3.10000.0"/>
  </DirectorySearch>
</Property>



-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
Nick Elmer
Sent: Tuesday, June 13, 2017 10:24 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] [EXTERNAL] Re: new Windows 10 version 1607 kernel
mode device driver requirements - HOWTO implement in WIX conditionally?

We went through this as well and after some discovery found that you can
dual sign a driver with SHA1 and SHA256 signatures. However, we also
discovered that Windows 2008 does not support SHA256 signing at all, so SHA1
has to be first. Windows 2008 R2 supports SHA256 but only with a service
pack so be sure to test across all of your platforms. This link references a
few MSDN threads on the dual signing question and some additional
considerations and issues. Hope this helps.

http://www.osronline.com/showThread.CFM?link=271472


-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
Hoover, Jacob
Sent: Tuesday, June 13, 2017 10:54 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [EXTERNAL] Re: [wix-users] new Windows 10 version 1607 kernel mode
device driver requirements - HOWTO implement in WIX conditionally?

>From the first link... :

How do I sign a driver so that it is compatible with Windows Vista, Windows
7, Windows 8, Windows 8.1, and Windows 10?

All you need to do is run the HLK tests for Windows 10 and run the HCK tests
for Windows 8.1 and earlier versions as you have in the past. Then, using
the Windows 10 HLK, merge the two test logs and submit your driver along
with the merged HLK/HCK test results to the Windows Hardware Developer
Center Dashboard portal. The portal will sign the driver correctly such that
it will work on all platforms that you indicate.

Are you trying to support XP / Older OS's?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
David Watson
Sent: Tuesday, June 13, 2017 4:08 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] new Windows 10 version 1607 kernel mode device
driver requirements - HOWTO implement in WIX conditionally?

Do you support a wide variety of older operating systems?

I ask because I would have expected the EV certificates to work on most
operating systems so you can just replace the old driver with the newly
signed one. Then you don't need conditionals.

If you do want to do this you need component conditions on both sets of
components, the OS can be determined with the VersionNT and WindowsBuild
properties, but I am not sure if these are being populated correctly in
windows 10, there used to be issues.

Dave


[http://dr0muzwhcp26z.cloudfront.net/static/corporate/SDL_emailLogo.png]<www
.sdl.com/>
www.sdl.com


SDL PLC confidential, all rights reserved. If you are not the intended
recipient of this mail SDL requests and requires that you delete it without
acting upon or copying any of its contents, and we further request that you
advise us.

SDL PLC is a public limited company registered in England and Wales.
Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6
7DY, UK.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of
Anthony LaMark
Sent: 12 June 2017 17:26
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] new Windows 10 version 1607 kernel mode device driver
requirements - HOWTO implement in WIX conditionally?

Hi,



Since Windows 10, version 1607 requires kernel mode device drivers to be
signed with an "Extended Validation Code Signing Certificate", I believe I
need to modify our installer (using WIX 3.10) now to install our kernel mode
device driver using a "conditional check" against the Windows Operating
System version.  I read this
<https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/
driver-signing-changes-in-windows-10-version-1607/> Microsoft blog and it is
still not clear to me whether I really need to do this or not but I am
moving forward (preparing) as if I will.



The new logic for the WIX installer that I desire will be:



if (Windows 10, 1607 or greater) then

  install the device driver signed with the "Extended Validation Symantec
Code Signing Certificate"

else

  install the device driver signed with our existing "Symantec Code Signing
Certificate"



The wxs file currently is defined with:



         <Component Id='TheKernelModeDriver'
Guid='{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}'>

           <File Id=' TheKernelModeDriverSYS' Name='xxxxxx.sys' DiskId='1'
Source='\driver\secRMM.sys' KeyPath='yes' />

           <File Id=' TheKernelModeDriverINF' Name='xxxxxx.inf' DiskId='1'
Source='\driver\secRMM.inf' />

           <File Id=' TheKernelModeDriverCAT' Name='xxxxxx.cat' DiskId='1'
Source='\driver\secRMM.cat' />

           <difx:Driver AddRemovePrograms='no' DeleteFiles='yes'
ForceInstall='yes' Legacy='yes' PlugAndPlayPrompt='no' Sequence='1'/>

         </Component>





   <Feature Id="ProductFeatures"  Title="Binaries" Level="1">

     <ComponentRef Id='TheKernelModeDriver'  />

   </Feature>



Looking at the documentation and web searching, I am not sure whether the
conditional logic (if that is the solution/is possible for drivers) goes in
the Component or Feature.

Also, I am looking for the WIX/msiexec property to allow me implement the
conditional check above.



If this is not possible, I am going to have to build two different
installers (.msi), one with the Extended Validation signed driver and one
with the "non"Extended Validation driver (for older OS-es).



Looking at the Microsoft documentation page titled
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa370556(v=vs.85).
aspx> "Operating System Property Values" , I do not see values for 
aspx> Windows
10 (and the versions such as 1607) or Server 2016.

Web searching results have mixed information about determining a Windows 10
OS let alone the version of 1607.



Does anyone have any advice on how to implement this in WIX?



Anthony LaMark

squadra technologies

http://webdefence.global.blackspider.com/urlwrap/?q=AXicY2Rm8FrCwHB9AQNDUU6l
gUmSXnFRmV5uYmZOcn5eSVF-jl5yfi5Dmamze1BoloehoaW5iTFDSnliSXF-nkNxCkQ6o6SkwEpf
v7y8XK-4sDQxpSixJDU5Iy8_Jz89M7UYrISBoXMKAwMAuu8kcA&Z
<http://webdefence.global.blackspider.com/urlwrap/?q=AXicY2Rm8FrCwHB9AQNDUU6
lgUmSXnFRmV5uYmZOcn5eSVF-jl5yfi5Dmamze1BoloehoaW5iTFDSnliSXF-nkNxCkQ6o6SkwEp
fv7y8XK-4sDQxpSixJDU5Iy8_Jz89M7UYpESfgYGhcwoDAwDfuiSf&Z>

562.221.3079




____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/


This message has been scanned for malware by Websense. www.websense.com

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

More information about the wix-users mailing list