Changeset 96692 in vbox

Timestamp:

Sep 12, 2022 12:39:59 AM (2 years ago)

Author:

vboxsync

Message:

Add/Nt/Installer,/Config.kmk,SupDrv/Certs: Check for and install missing root certificates. This is a real problem with vista and older. bugref:10261

Location:

trunk

Files:

: 3 added
: 9 edited

Config.kmk (modified) (5 diffs)
src/VBox/Additions/Makefile.kmk (modified) (1 diff)
src/VBox/Additions/WINNT/Installer/Languages/English.nsh (modified) (1 diff)
src/VBox/Additions/WINNT/Installer/Languages/French.nsh (modified) (1 diff)
src/VBox/Additions/WINNT/Installer/Languages/German.nsh (modified) (1 diff)
src/VBox/Additions/WINNT/Installer/Makefile.kmk (modified) (4 diffs)
src/VBox/Additions/WINNT/Installer/VBoxGuestAdditionsLog.nsh (modified) (1 diff)
src/VBox/Additions/WINNT/Installer/VBoxGuestAdditionsW2KXP.nsh (modified) (3 diffs)
src/VBox/Additions/WINNT/tools/Makefile.kmk (modified) (1 diff)
src/VBox/HostDrivers/Support/Certificates/CaRoot-DigiCertAssuredIDRootCA-0ce7e0e517d846fe8fe560fc1bf03039.crt (added)
src/VBox/HostDrivers/Support/Certificates/CaRoot-DigiCertHighAssuranceEVRootCA-02ac5c266a0b409b8f0b79f2ae462577.crt (added)
src/VBox/HostDrivers/Support/Certificates/CaRoot-VeriSignPca3G5-18dad19e267de8bb4a2158cdcc6b3b4a.crt (added)

Legend:

: Unmodified
: Added
: Removed

trunk/Config.kmk

-              r96684
+              r96692
+#
+# Some source paths of global interest.
+#
+VBOX_PATH_SRC_CERTIFICATES = $(PATH_ROOT)/src/VBox/HostDrivers/Support/Certificates
+#
 # Delete targets on failure.
+#
 .DELETE_ON_ERROR:
+#
 # Notify about important kBuild updates.
+#
 if  $(KBUILD_VERSION_MAJOR) == 0 \
  && (   $(KBUILD_VERSION_MINOR) >= 2 \
 …
 endif
+#
 # The VirtualBox Configuration Defaults.
 …
 # (Used by the additions build server, don't invert it.)
 #VBOX_WITHOUT_ADDITIONS_ISO = 1
+# Include root certs in the windows GAs installer and on the ISO (ignore when
+# signing is disabled).  Since we don't have any runtime detection of which
+# roots are actually being used, we expect shipping of the non-default root
+# with the signing setup in LocalConfig.kmk.  Following root cert selectors
+# are available (more details in GA tools & installer):
+#       - VBOX_WITH_GA_ROOT_VERISIGN_G5
+#       - VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+#       - VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+VBOX_WITH_GA_ROOT_CERTS_INCLUDED := 1
+if (!defined(VBOX_CERTIFICATE_SUBJECT_NAME) || !defined(VBOX_CERTIFICATE_SHA2_SUBJECT_NAME)) && "$(VBOX_SIGNING_MODE)" == "release"
+ VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID := 1
+endif
 ## @}
 # Set build options right for building the Additions as an RPM package.
 # VBOX_ONLY_RPM_ADDITIONS = 1
 …
    VBOX_SIGN_IMAGE_CMDS_ORDERDEPS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(VBOX_SIGN_IMAGE_ORDERDEPS))
   endif
+  ## Enable signing of the additions.
+  ## Enable signing of the additions drivers, i.e. create CAT files.
+  ## @todo r=bird: This bugger is entirely misplaced, as it belongs in the additions config section so it can be properly overriden.
   VBOX_SIGN_ADDITIONS   ?= 1
   ## Set if we should include the legacy timestamp CA.
 …
    endif
   endif
   VBOX_LEGACY_TS_CA_FILE = $(PATH_ROOT)/src/VBox/HostDrivers/Support/Certificates/Timestamp-VBoxLegacyWinCA.crt
+  VBOX_LEGACY_TS_CA_FILE = $(VBOX_PATH_SRC_CERTIFICATES)/Timestamp-VBoxLegacyWinCA.crt
  else ifeq ($(KBUILD_HOST),darwin)

trunk/src/VBox/Additions/Makefile.kmk

-              r96407
+              r96692
   GUESTADDITIONS_FILESPEC.win += cert/vbox-legacy-timestamp-ca.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-legacy-timestamp-ca.cer
  endif
+ ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
+  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
+   GUESTADDITIONS_FILESPEC.win += cert/root-versign-pca3-g5.cer=$(VBOX_PATH_ADDITIONS.win)/root-versign-pca3-g5.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+   GUESTADDITIONS_FILESPEC.win += cert/root-digicert-assured-id.cer=$(VBOX_PATH_ADDITIONS.win)/root-digicert-assured-id.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+   GUESTADDITIONS_FILESPEC.win += cert/root-digicert-high-assurance-ev.cer=$(VBOX_PATH_ADDITIONS.win)/root-digicert-high-assurance-ev.cer
+  endif
+ endif
  GUESTADDITIONS_FILESPEC.win += windows11-bypass.reg=$(VBOX_PATH_ADDITIONS_SRC)/WINNT/tools/windows11-bypass.reg
 endif

trunk/src/VBox/Additions/WINNT/Installer/Languages/English.nsh

-              r96407
+              r96692
 LangString VBOX_NOTICE_ARCH_AMD64 ${LANG_ENGLISH}                   "This application only runs on 64-bit Windows systems. Please install the 32-bit version of $(^Name)!"
 LangString VBOX_NT4_NO_SP6 ${LANG_ENGLISH}                          "You do not seem to have Service Pack 6 for Windows NT4 installed.$\r$\nWe recommend that you install it first. Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_VERISIGN_G5 ${LANG_ENGLISH}                "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_ASSURED_ID ${LANG_ENGLISH}        "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert Assured ID Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_HIGH_ASSURANCE_EV ${LANG_ENGLISH} "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert High Assurance EV Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
 LangString VBOX_PLATFORM_UNSUPPORTED ${LANG_ENGLISH}                "The VirtualBox Guest Additions cannot be installed on this version of Windows"

trunk/src/VBox/Additions/WINNT/Installer/Languages/French.nsh

-              r96407
+              r96692
 LangString VBOX_NOTICE_ARCH_AMD64 ${LANG_FRENCH}                    "Cette application peut seulement être executée sur des systèmes Windows 64-bit. Veuillez installer la version 32-bit de $(^Name)!"
 LangString VBOX_NT4_NO_SP6 ${LANG_FRENCH}                           "Le programme d'installation a détécté que vous utilisez Windows NT4 sans Service Pack 6.$\r$\nNous vous conseillons d'installer ce Service Pack avant de continuer. Désirez vous cependant continuer?"
+;; @todo translate:
+LangString VBOX_CA_CHECK_VERISIGN_G5 ${LANG_FRENCH}                 "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_ASSURED_ID ${LANG_FRENCH}         "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert Assured ID Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_HIGH_ASSURANCE_EV ${LANG_FRENCH}  "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert High Assurance EV Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
 LangString VBOX_PLATFORM_UNSUPPORTED ${LANG_FRENCH}                 "Les Additions invité ne sont pas encore supportés sur cette plateforme!"

trunk/src/VBox/Additions/WINNT/Installer/Languages/German.nsh

-              r96407
+              r96692
 LangString VBOX_NOTICE_ARCH_AMD64 ${LANG_GERMAN}                    "Diese Applikation läuft nur auf 64-bit Windows-Systemen. Bitte installieren Sie die 32-bit Version der $(^Name)!"
 LangString VBOX_NT4_NO_SP6 ${LANG_GERMAN}                           "Es ist kein Service Pack 6 für NT 4.0 installiert.$\r$\nEs wird empfohlen das Service-Pack vor dieser Installation zu installieren. Trotzdem jetzt ohne Service-Pack installieren?"
+;; @todo translate:
+LangString VBOX_CA_CHECK_VERISIGN_G5 ${LANG_GERMAN}                 "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_ASSURED_ID ${LANG_GERMAN}         "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert Assured ID Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
+LangString VBOX_CA_CHECK_DIGICERT_HIGH_ASSURANCE_EV ${LANG_GERMAN}  "A root certificate needed for driver signature verification during installation is missing:$\r$\n$\t'DigiCert High Assurance EV Root CA'$\r$\nThis can be downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm and installed using $\"$INSTDIR$\".$\r$\nThe installation is likely to fail without the certificate.  Do you wish to continue anyway?"
 LangString VBOX_PLATFORM_UNSUPPORTED ${LANG_GERMAN}                 "Diese Plattform wird noch nicht durch diese Guest Additions unterstützt!"

trunk/src/VBox/Additions/WINNT/Installer/Makefile.kmk

-              r96691
+              r96692
 VBOX_WINDOWS_ADDITIONS_OTHER_FILES += \
         $(PATH_STAGE_BIN)/additions/VBoxAudioTest.exe
+endif
+if defined(VBOX_SIGNING_MODE) && defined(VBOX_SIGN_ADDITIONS)
+ ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
+VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/vbox-legacy-timestamp-ca.cer
+ endif
+ ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
+  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
+VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-versign-pca3-g5.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-digicert-assured-id.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-digicert-high-assurance-ev.cer
+  endif
+ endif
 endif
 …
                 $(PATH_SUB_CURRENT)/VBoxGuestAdditionsVista.nsh \
                 $(PATH_SUB_CURRENT)/VBoxGuestAdditionsNT4.nsh \
+                $(PATH_SUB_CURRENT)/Languages/English.nsh \
+                $(PATH_SUB_CURRENT)/Languages/German.nsh \
+                $(PATH_SUB_CURRENT)/Languages/French.nsh \
                 $(VBOX_WINDOWS_ADDITIONS_ATTESTATION_SIGNED_FILES) \
                 $(VBOX_WINDOWS_ADDITIONS_OTHER_FILES) \
 …
                 $(VB_WIN_ADD_NSIS_ENV) \
                 -- $(EXEC_X86_WIN32) $(VBOX_PATH_NSIS)/makensis.exe /NOCD /V2 \
-                        $(if $(VBOX_SIGN_ADDITIONS),'/DVBOX_SIGN_ADDITIONS=1') \
                         $(if $(VBOX_SIGNING_MODE),'/DEXTERNAL_UNINSTALLER=1') \
+                        $(if $(VBOX_WITH_VBOX_LEGACY_TS_CA),'/DVBOX_WITH_VBOX_LEGACY_TS_CA=1') \
+                       $(if-expr defined(VBOX_SIGN_ADDITIONS) && defined(VBOX_SIGNING_MODE), \
+                        '/DVBOX_SIGN_ADDITIONS=1' \
+                        $(if-expr defined(VBOX_WITH_GA_ROOT_CERTS_INCLUDED)            ,'/DVBOX_WITH_GA_ROOT_CERTS_INCLUDED=1',) \
+                        $(if-expr defined(VBOX_WITH_GA_ROOT_VERISIGN_G5)               ,'/DVBOX_WITH_GA_ROOT_VERISIGN_G5=1',) \
+                        $(if-expr defined(VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID)       ,'/DVBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID=1',) \
+                        $(if-expr defined(VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV),'/DVBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV=1',) \
+                                $(if-expr defined(VBOX_WITH_VBOX_LEGACY_TS_CA)                 ,'/DVBOX_WITH_VBOX_LEGACY_TS_CA=1') \
+                       ,) \
                         $(if $(VBOX_INSTALLER_ADD_LANGUAGES),'/DVBOX_INSTALLER_ADD_LANGUAGES=1') \
                         $(foreach lang,$(VBOX_INSTALLER_ADD_LANGUAGES),'/DVBOX_BRAND_$(lang)_LICENSE_RTF=1') \
 …
                 $(PATH_SUB_CURRENT)/VBoxGuestAdditionsVista.nsh \
                 $(PATH_SUB_CURRENT)/VBoxGuestAdditionsNT4.nsh \
+                $(PATH_SUB_CURRENT)/Languages/English.nsh \
+                $(PATH_SUB_CURRENT)/Languages/German.nsh \
+                $(PATH_SUB_CURRENT)/Languages/French.nsh \
                 $(VBOX_WINDOWS_ADDITIONS_ATTESTATION_SIGNED_FILES) \
                 $(VBOX_WINDOWS_ADDITIONS_OTHER_FILES) \

trunk/src/VBox/Additions/WINNT/Installer/VBoxGuestAdditionsLog.nsh

r96451	r96692
67	67	!macro _logToVBoxTray type text
68	68
69		${LogVerbose} "${text}"
	69	${LogVerbose} "To VBoxTray: ${text}"
70	70	!if $%VBOX_WITH_GUEST_INSTALL_HELPER% == "1"
71	71	Push $0

trunk/src/VBox/Additions/WINNT/Installer/VBoxGuestAdditionsW2KXP.nsh

-              r96687
+              r96692
 FunctionEnd
+!ifdef VBOX_SIGN_ADDITIONS
+  !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5 | VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID | VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+;;
+; Checks
+;
+; @param    pop1    The RDN of the certificate.
+; @param    pop2    Filename (cert dir) if we're shipping it (VBOX_WITH_GA_ROOT_CERTS_INCLUDED).
+; @param    pop3    The direct download URL link.
+; @param    pop4    The message to display if missing.
+;
+Function W2K_RootCertCheck
+  ;
+  ; Prolog: Save $0, $1, $2, $3 and move the parameters into them. Also save $4 for results.
+  ;
+  Push    $0
+  Exch    4
+  Push    $1
+  Exch    4
+  Push    $2
+  Exch    4
+  Push    $3
+  Exch    4
+  Pop     $0                                ; RDN
+  Pop     $1                                ; Filename
+  Pop     $2                                ; Direct URL
+  Pop     $3                                ; Missing message
+  Push    $4
+  ;
+  ; Run VBoxCertUtil to check.
+  ;
+  ${LogVerbose} "Checking if $0 is installed ..."
+  ${If} ${Silent}
+    nsExec::ExecToStack "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" root-exists $\"$0$\""
+    Exch 1
+    Pop  $4                                 ; output
+    ${LogVerbose} "$4"
+    Pop  $4                                 ; exit code
+  ${Else}
+    nsExec::ExecToLog   "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" root-exists $\"$0$\""
+    Pop  $4                                 ; exit code
+  ${EndIf}
+  ${LogVerbose} "Exit code: $4"
+  ;
+  ; VBoxCertUtil terminates with exit code 10 if not found, 0 if found and something else on failure.
+  ;
+  ${If} $4 == 0
+    ${LogVerbose} "Root certificate is present."
+  ${ElseIf} $4 == 10
+  !ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
+    ${LogVerbose} "Root certificate is _NOT_ present.  Installing it ..."
+    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-root $\"$INSTDIR\cert\$1$\"" 'non-zero-exitcode=abort'
+  !else
+    ${LogVerbose} "Root certificate is _NOT_ present.  The certificate can be downloaded from $2 and installed using '$INSTDIR\cert\VBoxCertUtil.exe'."
+    MessageBox MB_YESNO $3 /SD IDYES IDYES l_dont_abort
+    Abort "Missing signing root certificate $0"
+l_dont_abort:
+  !endif
+  ${ElseIf} $R4 <> 0
+    ${LogVerbose} "Unable to determine whether the root certificate was present. Assuming the worst."
+    Abort "Error when checking whether signing root certificate '$0' was present: $4"
+  ${EndIf}
+  ;
+  ; Epilog: Restore $0-$4 (we return nothing).
+  ;
+  Pop     $4
+  Pop     $3
+  Pop     $2
+  Pop     $1
+  Pop     $0
+FunctionEnd
+  !endif
+!endif
 Function W2K_Prepare
+  ; Save registers
+  Push  $R0
+  Push  $R1
+  Push  $R2
+  Push  $R3
+  Push  $R4
   ${If} $g_bNoVBoxServiceExit == "false"
 …
   Delete /REBOOTOK "$INSTDIR\VBoxService.exe"
+!ifdef VBOX_SIGN_ADDITIONS && VBOX_WITH_VBOX_LEGACY_TS_CA
+  ; NSIS only supports global vars, even in functions -- great
+!ifdef VBOX_SIGN_ADDITIONS
+  ;
+  ; When installing signed GAs, we need to check whether the root certs are
+  ; present, we use VBoxCertUtil for this task.  This utility is also used
+  ; for installing missing root certs we can ship, like the special timestamp
+  ; root further down.
+  ;
+  ${LogVerbose} "Installing VBoxCertUtil.exe ..."
+  SetOutPath "$INSTDIR\cert"
+  FILE "$%PATH_OUT%\bin\additions\VBoxCertUtil.exe"
+  !ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
+  FILE "$%PATH_OUT%\bin\additions\vbox-legacy-timestamp-ca.cer"
+  !endif
+  !ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
+    !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
+  FILE "$%PATH_OUT%\bin\additions\root-versign-pca3-g5.cer"
+    !endif
+    !ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+  FILE "$%PATH_OUT%\bin\additions\root-digicert-assured-id.cer"
+    !endif
+    !ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+  FILE "$%PATH_OUT%\bin\additions\root-digicert-high-assurance-ev.cer"
+    !endif
+  !endif
+  ; Now that the files are in place, do the checking.
+  !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
+  Push $(VBOX_CA_CHECK_VERISIGN_G5)
+  Push "http://cacerts.digicert.com/pca3-g5.crt"
+  Push "root-versign-pca3-g5.cer"
+  Push "C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5"
+  Call W2K_RootCertCheck
+  !endif
+  !ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+  Push $(VBOX_CA_CHECK_DIGICERT_ASSURED_ID)
+  Push "https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt"
+  Push "root-digicert-assured-id.cer"
+  Push "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Assured ID Root CA"
+  Call W2K_RootCertCheck
+  !endif
+  !ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+  Push $(VBOX_CA_CHECK_DIGICERT_HIGH_ASSURANCE_EV)
+  Push "https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt"
+  Push "root-digicert-high-assurance-ev.cer"
+  Push "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV Root CA"
+  Call W2K_RootCertCheck
+  !endif
+  !ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
+  ;
+  ; Install the legacy timestamp CA if required/requested.
+  ;
+  ; NSIS only supports global vars, even in functions -- great ;; @todo r=bird: why don't you just change $g_bInstallTimestampCA?
   Var /GLOBAL bDoInstallCA
   StrCpy $bDoInstallCA "false" ; Set a default value
 …
   ${If} $bDoInstallCA == "true"
     ${LogVerbose} "Installing legacy timestamp CA certificate ..."
+    SetOutPath "$INSTDIR\cert"
+    FILE "$%PATH_OUT%\bin\additions\vbox-legacy-timestamp-ca.cer"
+    FILE "$%PATH_OUT%\bin\additions\VBoxCertUtil.exe"
+    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-trusted-publisher --root $\"$INSTDIR\cert\vbox-legacy-timestamp-ca.cer$\"" 'non-zero-exitcode=log'
+    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-root $\"$INSTDIR\cert\vbox-legacy-timestamp-ca.cer$\"" 'non-zero-exitcode=log'
     ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" display-all" 'non-zero-exitcode=log'
   ${EndIf}
+!endif
+  !endif ; VBOX_WITH_VBOX_LEGACY_TS_CA
+!endif ; VBOX_SIGN_ADDITIONS
+  ; Restore registers
+  Pop $R4
+  Pop $R3
+  Pop $R2
+  Pop $R1
+  Pop $R0
 FunctionEnd

trunk/src/VBox/Additions/WINNT/tools/Makefile.kmk

-              r96684
+              r96692
 AdditionsInstCertFiles_SOURCES += $(VBOX_LEGACY_TS_CA_FILE)=>vbox-legacy-timestamp-ca.cer
  endif
+ ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
+  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
+AdditionsInstCertFiles_SOURCES += \
+        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-VeriSignPca3G5-18dad19e267de8bb4a2158cdcc6b3b4a.crt=>root-versign-pca3-g5.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
+AdditionsInstCertFiles_SOURCES += \
+        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-DigiCertAssuredIDRootCA-0ce7e0e517d846fe8fe560fc1bf03039.crt=>root-digicert-assured-id.cer
+  endif
+  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
+AdditionsInstCertFiles_SOURCES += \
+        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-DigiCertHighAssuranceEVRootCA-02ac5c266a0b409b8f0b79f2ae462577.crt=>root-digicert-high-assurance-ev.cer
+  endif
+ endif
 endif

Note: See TracChangeset for help on using the changeset viewer.

Changeset 96692 in vbox

Legend:

Download in other formats: