Changeset 106247 in vbox

Timestamp:

Oct 8, 2024 9:50:21 PM (7 weeks ago)

Author:

vboxsync

Message:

Additions/NT/Installer,Config.kmk: Use the same signing commands for the additions installer and uninstaller image as for signing all other executables. VBOX_SIGN_FILE_FN would work differently from VBOX_SIGN_IMAGE_FN when corp signing plans b & c. This caused trouble when the installer loader stub compared its signature with that of the actual installers or the build certificate. bugref:10771

Location:

trunk

Files:

• Config.kmk (modified) (4 diffs)
• src/VBox/Additions/WINNT/Installer/Makefile.kmk (modified) (3 diffs)

trunk/Config.kmk

@@ -4506 +4506 @@
         $(if-expr "$4" == "2",$$(NLTAB),$(NLTAB))$(call VBOX_CCS_SIGN_CMD,driver$(if-expr "$3" == "/ph",_pagehash,),$1,,-digest_algo SHA2)
 
-  ## Sign an executable image.
+  ## Sign an executable image, normal method.
   # @param 1  The file to sign.
   # @param 2  File description. Optional.
   # @param 3  Set to 2 if the expression will be expanded twice before chopped into commands (for _CMDS).
   if1of (win_with_ev, $(VBOX_WITH_CORP_CODE_SIGNING))
-   VBOX_SIGN_IMAGE_FN        ?= $(call VBOX_SIGN_IMAGE_WITH_EV_FN,$(1),$(2),/ph,$(3))
-   VBOX_SIGN_IMAGE_ORDERDEPS ?= $(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS)
+   VBOX_SIGN_IMAGE_NORMAL_FN        ?= $(call VBOX_SIGN_IMAGE_WITH_EV_FN,$(1),$(2),/ph,$(3))
+   VBOX_SIGN_IMAGE_NORMAL_ORDERDEPS ?= $(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS)
   else
-   VBOX_SIGN_IMAGE_FN        ?= $(call VBOX_SIGN_FILE_FN,$(1),$(2),/ph,$(3))
-   VBOX_SIGN_IMAGE_ORDERDEPS ?= $(VBOX_SIGNTOOL_ORDERDEPS)
+   VBOX_SIGN_IMAGE_NORMAL_FN        ?= $(call VBOX_SIGN_FILE_FN,$(1),$(2),/ph,$(3))
+   VBOX_SIGN_IMAGE_NORMAL_ORDERDEPS ?= $(VBOX_SIGNTOOL_ORDERDEPS)
   endif
 
@@ -4523 +4523 @@
    VBOX_SIGN_DRIVER_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS))
   else if $(intersects win_planc,$(VBOX_WITH_CORP_CODE_SIGNING))
-   VBOX_SIGN_DRIVER_CMDS      ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_FN,$(out),,2,nodual))
+   VBOX_SIGN_DRIVER_CMDS      ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_NORMAL_FN,$(out),,2,nodual))
    VBOX_SIGN_DRIVER_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS))
   else
-   VBOX_SIGN_DRIVER_CMDS      ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_FN,$(out),,2))
-   VBOX_SIGN_DRIVER_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_SIGN_IMAGE_ORDERDEPS))
+   VBOX_SIGN_DRIVER_CMDS      ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_NORMAL_FN,$(out),,2))
+   VBOX_SIGN_DRIVER_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_SIGN_IMAGE_NORMAL_ORDERDEPS))
   endif
 
@@ -4553 +4553 @@
   endif
 
+  ## Functions + deps for signing an executable or a dll image. See VBOX_SIGN_IMAGE_NORMAL_FN for parameters.
+  if defined(VBOX_CERTIFICATE_SUBJECT_NAME) && $(intersects win_planb,$(VBOX_WITH_CORP_CODE_SIGNING))
+   VBOX_SIGN_IMAGE_FN             ?= $(call VBOX_SIGN_IMAGE_PLAN_B_FN,$(1),$(2),/ph,$(3))
+   VBOX_SIGN_IMAGE_ORDERDEPS      ?= $(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS)
+  else if defined(VBOX_CERTIFICATE_SUBJECT_NAME) && $(intersects win_planc,$(VBOX_WITH_CORP_CODE_SIGNING))
+   VBOX_SIGN_IMAGE_FN             ?= $(call VBOX_SIGN_IMAGE_PLAN_C_FN,$(1),$(2),/ph,$(3))
+   VBOX_SIGN_IMAGE_ORDERDEPS      ?= $(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS)
+  else
+   VBOX_SIGN_IMAGE_FN             ?= $(call VBOX_SIGN_IMAGE_NORMAL_FN,$(1),$(2),$(3))
+   VBOX_SIGN_IMAGE_ORDERDEPS      ?= $(VBOX_SIGN_IMAGE_NORMAL_ORDERDEPS)
+  endif
+
   # Go nuts, sign everything.
   if "$(VBOX_SIGNING_MODE)" == "release" || defined(VBOX_WITH_HARDENING)
@@ -4563 +4575 @@
     VBOX_SIGN_IMAGE_CMDS_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_RTSIGNTOOL) $(VBOX_SIGNTOOL_ORDERDEPS))
    else
-    VBOX_SIGN_IMAGE_CMDS           ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_FN,$(out),,2))
-    VBOX_SIGN_IMAGE_CMDS_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_SIGN_IMAGE_ORDERDEPS))
+    VBOX_SIGN_IMAGE_CMDS           ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_NORMAL_FN,$(out),,2))
+    VBOX_SIGN_IMAGE_CMDS_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_SIGN_IMAGE_NORMAL_ORDERDEPS))
    endif
   endif

trunk/src/VBox/Additions/WINNT/Installer/Makefile.kmk

@@ -316 +316 @@
                 $(if $(VBOX_WIN_ATTESTATION_SIGNING),$(PATH_OUT)/repackadd/$(VBOX_SIGNED_DRIVERS_ZIP_NAME)) \
                 $(VBOX_VERSION_STAMP) \
-                $$(VBoxDrvInst_1_STAGE_TARGET)
+                $$(VBoxDrvInst_1_STAGE_TARGET) \
+                | $(VBOX_SIGN_IMAGE_ORDERDEPS)
         $(call MSG_L1,Creating $@, from $<)
-ifdef VBOX_WIN_ATTESTATION_SIGNING # Unpack the attestation signed drivers - this is an ugly has 'ing heck hack!
+ifdef VBOX_WIN_ATTESTATION_SIGNING # Unpack the attestation signed drivers - this is an ugly as 'ing heck hack!
         $(TOOL_ZIP_UNPACK) -oj $(PATH_OUT)/repackadd/$(VBOX_SIGNED_DRIVERS_ZIP_NAME) -d $(PATH_STAGE_BIN)/additions/
 endif
@@ -332 +333 @@
                         $(foreach lang,$(VBOX_INSTALLER_ADD_LANGUAGES),'/DVBOX_BRAND_$(lang)_LICENSE_RTF=1') \
                         '$(subst /,\,$<)'
-        $(call VBOX_SIGN_FILE_FN,$@)
+        $(call VBOX_SIGN_IMAGE_FN,$@)
 
 
@@ -378 +379 @@
                         '$(subst /,\,$<)'
 
- $(PATH_TARGET)/uninst.exe: $(PATH_TARGET)/VBoxWindowsAdditions-$(KBUILD_TARGET_ARCH)-uninst.exe | $$(dir $$@)
+ $(PATH_TARGET)/uninst.exe: \
+                $(PATH_TARGET)/VBoxWindowsAdditions-$(KBUILD_TARGET_ARCH)-uninst.exe | $$(dir $$@) $(VBOX_SIGN_IMAGE_ORDERDEPS)
         $(call MSG_L1,Creating $@, from $<)
         $(QUIET)$(RM) -f $@
         -$(REDIRECT) -E __COMPAT_LAYER=RUNASINVOKER -- $<
         $(TEST) -f $@
-        $(call VBOX_SIGN_FILE_FN,$@)
+        $(call VBOX_SIGN_IMAGE_FN,$@)
 
 endif # VBOX_SIGNING_MODE