[wix-users] [EXTERNAL] Re: new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

Tom Brezinski tom.brezinski at ViaviSolutions.com
Wed Jun 14 04:47:36 PDT 2017


This is on my to-do list as well so I will chime in with what I know...

If you dual sign your driver with a SHA1 certificate and SHA256EV (yes you have to buy two certs) and cross sign via the old cross signing certificates method you will work on Windows 10 1607 as long as SecureBoot is not enabled and it will also work on any older OS including Vista without any patches or updates.  I also think it works for the moment on Server 2016 but probably won't for long as they have said going forward Server 2016 will require that drivers pass HLK tests.  This is what I'm doing right now; had a few grumpy customers but it works.

Long term you have two options...
1. Attestation signing via the Windows Hardware Developer portal will get you a driver that works on ONLY Windows 10.  In this case you will have to condition your installer to install a different driver per OS.  This will not work long term though if you need to support Server 2016.
2. Pass the HLK & HCK tests (potentially not easy) and get it signed via the Windows Hardware Developer portal.  This gives you a driver that (supposedly) works on all OSes including Server 2016.  Down side is if you are like me and your driver is built on a framework from the late 90's it does not have any hope of passing testing.

For conditional install on Win10 you cannot use VersionNT to determine if you are on Windows 10 (thanks MS).  I found this check somewhere and use it to condition my features:

<!-- VersionNT is not reliable to determine if OS is Win10 or not -->
<Property Id="WIN10FOUND">
  <DirectorySearch Id="searchSystemWin10" Path="[SystemFolder]" Depth="0">
    <FileSearch Id="searchFileWin10" Name="advapi32.dll" MinVersion="6.3.10000.0"/>
  </DirectorySearch>
</Property>



-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Nick Elmer
Sent: Tuesday, June 13, 2017 10:24 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] [EXTERNAL] Re: new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

We went through this as well and after some discovery found that you can dual sign a driver with SHA1 and SHA256 signatures. However, we also discovered that Windows 2008 does not support SHA256 signing at all, so SHA1 has to be first. Windows 2008 R2 supports SHA256 but only with a service pack so be sure to test across all of your platforms. This link references a few MSDN threads on the dual signing question and some additional considerations and issues. Hope this helps.

http://www.osronline.com/showThread.CFM?link=271472


-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob
Sent: Tuesday, June 13, 2017 10:54 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [EXTERNAL] Re: [wix-users] new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

>From the first link... :

How do I sign a driver so that it is compatible with Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10?

All you need to do is run the HLK tests for Windows 10 and run the HCK tests for Windows 8.1 and earlier versions as you have in the past. Then, using the Windows 10 HLK, merge the two test logs and submit your driver along with the merged HLK/HCK test results to the Windows Hardware Developer Center Dashboard portal. The portal will sign the driver correctly such that it will work on all platforms that you indicate.

Are you trying to support XP / Older OS's?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of David Watson
Sent: Tuesday, June 13, 2017 4:08 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

Do you support a wide variety of older operating systems?

I ask because I would have expected the EV certificates to work on most operating systems so you can just replace the old driver with the newly signed one. Then you don't need conditionals.

If you do want to do this you need component conditions on both sets of components, the OS can be determined with the VersionNT and WindowsBuild properties, but I am not sure if these are being populated correctly in windows 10, there used to be issues.

Dave


[http://dr0muzwhcp26z.cloudfront.net/static/corporate/SDL_emailLogo.png]<www.sdl.com/>
www.sdl.com


SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Anthony LaMark
Sent: 12 June 2017 17:26
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] new Windows 10 version 1607 kernel mode device driver requirements - HOWTO implement in WIX conditionally?

Hi,



Since Windows 10, version 1607 requires kernel mode device drivers to be signed with an "Extended Validation Code Signing Certificate", I believe I need to modify our installer (using WIX 3.10) now to install our kernel mode device driver using a "conditional check" against the Windows Operating System version.  I read this <https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/
driver-signing-changes-in-windows-10-version-1607/> Microsoft blog and it is still not clear to me whether I really need to do this or not but I am moving forward (preparing) as if I will.



The new logic for the WIX installer that I desire will be:



if (Windows 10, 1607 or greater) then

  install the device driver signed with the "Extended Validation Symantec Code Signing Certificate"

else

  install the device driver signed with our existing "Symantec Code Signing Certificate"



The wxs file currently is defined with:



         <Component Id='TheKernelModeDriver'
Guid='{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}'>

           <File Id=' TheKernelModeDriverSYS' Name='xxxxxx.sys' DiskId='1'
Source='\driver\secRMM.sys' KeyPath='yes' />

           <File Id=' TheKernelModeDriverINF' Name='xxxxxx.inf' DiskId='1'
Source='\driver\secRMM.inf' />

           <File Id=' TheKernelModeDriverCAT' Name='xxxxxx.cat' DiskId='1'
Source='\driver\secRMM.cat' />

           <difx:Driver AddRemovePrograms='no' DeleteFiles='yes'
ForceInstall='yes' Legacy='yes' PlugAndPlayPrompt='no' Sequence='1'/>

         </Component>





   <Feature Id="ProductFeatures"  Title="Binaries" Level="1">

     <ComponentRef Id='TheKernelModeDriver'  />

   </Feature>



Looking at the documentation and web searching, I am not sure whether the conditional logic (if that is the solution/is possible for drivers) goes in the Component or Feature.

Also, I am looking for the WIX/msiexec property to allow me implement the conditional check above.



If this is not possible, I am going to have to build two different installers (.msi), one with the Extended Validation signed driver and one with the "non"Extended Validation driver (for older OS-es).



Looking at the Microsoft documentation page titled <https://msdn.microsoft.com/en-us/library/windows/desktop/aa370556(v=vs.85).
aspx> "Operating System Property Values" , I do not see values for 
aspx> Windows
10 (and the versions such as 1607) or Server 2016.

Web searching results have mixed information about determining a Windows 10 OS let alone the version of 1607.



Does anyone have any advice on how to implement this in WIX?



Anthony LaMark

squadra technologies

http://webdefence.global.blackspider.com/urlwrap/?q=AXicY2Rm8FrCwHB9AQNDUU6lgUmSXnFRmV5uYmZOcn5eSVF-jl5yfi5Dmamze1BoloehoaW5iTFDSnliSXF-nkNxCkQ6o6SkwEpfv7y8XK-4sDQxpSixJDU5Iy8_Jz89M7UYrISBoXMKAwMAuu8kcA&Z <http://webdefence.global.blackspider.com/urlwrap/?q=AXicY2Rm8FrCwHB9AQNDUU6lgUmSXnFRmV5uYmZOcn5eSVF-jl5yfi5Dmamze1BoloehoaW5iTFDSnliSXF-nkNxCkQ6o6SkwEpfv7y8XK-4sDQxpSixJDU5Iy8_Jz89M7UYpESfgYGhcwoDAwDfuiSf&Z>

562.221.3079




____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


This message has been scanned for malware by Websense. www.websense.com

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/



More information about the wix-users mailing list