Changeset 96766 in vbox for trunk/src/VBox/Additions

Timestamp:

Sep 16, 2022 12:00:23 PM (2 years ago)

Author:

vboxsync

Message:

Add/Nt/Installer,Add/Nt/Tools,Add/Makefile,/Config.kmk: Use bldRTSignTool to extract the root certificates and always ship+install them, except for the legacy TS CA which won't be installed on W10. bugref:8691

Location:

trunk/src/VBox/Additions

Files:

• Makefile.kmk (modified) (1 diff)
• WINNT/Installer/Makefile.kmk (modified) (4 diffs)
• WINNT/Installer/VBoxGuestAdditionsW2KXP.nsh (modified) (2 diffs)
• WINNT/tools/Makefile.kmk (modified) (1 diff)

trunk/src/VBox/Additions/Makefile.kmk

@@ -291 +291 @@
 
 if defined(VBOX_WITH_ADDITIONS_ISO.win.amd64) || defined(VBOX_WITH_ADDITIONS_ISO.win.x86)
+ # Note! This probably only work reliably when packing is also done on a windows host!
  ifndef VBOX_SIGNING_MODE
   GUESTADDITIONS_FILESPEC.win =
  else if !defined(VBOX_CERTIFICATE_SHA2_SUBJECT_NAME) && !$(intersects win all 1,$(VBOX_WITH_CORP_CODE_SIGNING))
-  GUESTADDITIONS_FILESPEC.win = cert/vbox.cer=$(VBOX_PATH_ADDITIONS.win)/vbox.cer
+  GUESTADDITIONS_FILESPEC.win = \
+        cert/vbox.cer=$(VBOX_PATH_ADDITIONS.win)/vbox.cer \
+        cert/vbox-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-root.cer
+  ifdef VBOX_TSA_URL_ARGS
+   GUESTADDITIONS_FILESPEC.win += cert/vbox-timestamp-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-timestamp-root.cer
+  endif
  else
   GUESTADDITIONS_FILESPEC.win = \
         cert/vbox-sha1.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha1.cer \
+        cert/vbox-sha1-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha1-root.cer \
+        cert/vbox-sha256-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-root.cer \
         cert/vbox-sha256.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256.cer
+  ifdef VBOX_TSA_URL_ARGS
+   GUESTADDITIONS_FILESPEC.win += cert/vbox-sha1-timestamp-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha1-timestamp-root.cer
+  endif
+  ifdef VBOX_TSA_SHA2_URL_ARGS
+   GUESTADDITIONS_FILESPEC.win += cert/vbox-sha256-timestamp-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-timestamp-root.cer
+  endif
   if $(intersects win_planb,$(VBOX_WITH_CORP_CODE_SIGNING))
-   GUESTADDITIONS_FILESPEC.win += cert/vbox-sha256-r3.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-r3.cer
-  endif
- endif
- ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
-  GUESTADDITIONS_FILESPEC.win += cert/vbox-legacy-timestamp-ca.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-legacy-timestamp-ca.cer
- endif
- ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
-  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
-   GUESTADDITIONS_FILESPEC.win += cert/root-versign-pca3-g5.cer=$(VBOX_PATH_ADDITIONS.win)/root-versign-pca3-g5.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
-   GUESTADDITIONS_FILESPEC.win += cert/root-digicert-assured-id.cer=$(VBOX_PATH_ADDITIONS.win)/root-digicert-assured-id.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-   GUESTADDITIONS_FILESPEC.win += cert/root-digicert-high-assurance-ev.cer=$(VBOX_PATH_ADDITIONS.win)/root-digicert-high-assurance-ev.cer
+   GUESTADDITIONS_FILESPEC.win += \
+        cert/vbox-sha256-r3.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-r3.cer \
+        cert/vbox-sha256-r3-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-r3-root.cer \
+        cert/vbox-sha256-r3-timestamp-root.cer=$(VBOX_PATH_ADDITIONS.win)/vbox-sha256-r3-timestamp-root.cer
   endif
  endif

trunk/src/VBox/Additions/WINNT/Installer/Makefile.kmk

@@ -86 +86 @@
 RegCleanup_VBOX_IMPORT_CHECKER.win.x86 := nt4
 
+
+#
+# Install all the certificates we use.
+#
+INSTALLS += AdditionsInstCertFiles
+AdditionsInstCertFiles_TEMPLATE := VBoxGuestR3Exe
+AdditionsInstCertFiles_SOURCES   =
+AdditionsInstCertFiles_CLEAN     =
+if defined(VBOX_SIGNING_MODE) && defined(VBOX_SIGN_ADDITIONS)
+ define def_VBoxAdditionsInstCertFiles
+  AdditionsInstCertFiles_SOURCES += $$(AdditionsInstCertFiles_0_OUTDIR)/$(1)=>$1
+  AdditionsInstCertFiles_CLEAN   += $$(AdditionsInstCertFiles_0_OUTDIR)/$(1)
+  $$$$(AdditionsInstCertFiles_0_OUTDIR)/$(1): $$(2) | $$$$(dir $$$$@) $(VBOX_RTSIGNTOOL)
+        $(QUIET)$(RM) -f -- "$$@"
+        $(VBOX_RTSIGNTOOL) $3 --signature-index $4 --input "$$<" --output "$$@"
+ endef
+
+ if !defined(VBOX_CERTIFICATE_SHA2_SUBJECT_NAME) && !$(intersects win all 1,$(VBOX_WITH_CORP_CODE_SIGNING))
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-exe-signer-cert, 0)
+  VBOX_GA_CERT_ROOT_SHA1 := vbox-root.cer
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA1),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-signer-root --self-signed-roots-from-system, 0)
+  ifdef VBOX_TSA_URL_ARGS
+   VBOX_GA_CERT_ROOT_SHA1_TS := vbox-timestamp-root.cer
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA1_TS),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-timestamp-root --self-signed-roots-from-system, 0)
+  endif
+ else
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha1.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-exe-signer-cert, 0)
+  VBOX_GA_CERT_ROOT_SHA1 := vbox-sha1-root.cer
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA1),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-signer-root --self-signed-roots-from-system, 0)
+  ifdef VBOX_TSA_URL_ARGS
+   VBOX_GA_CERT_ROOT_SHA1_TS := vbox-sha1-timestamp-root.cer
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA1_TS),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-timestamp-root --self-signed-roots-from-system, 0)
+  endif
+
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha256.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-exe-signer-cert, 1)
+  VBOX_GA_CERT_ROOT_SHA2 := vbox-sha256-root.cer
+  $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA2),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-signer-root --self-signed-roots-from-system, 1)
+  ifdef VBOX_TSA_SHA2_URL_ARGS
+   VBOX_GA_CERT_ROOT_SHA2_TS := vbox-sha256-timestamp-root.cer
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA2_TS),$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys, \
+        extract-timestamp-root --self-signed-roots-from-system, 1)
+  endif
+
+  if $(intersects win_planb,$(VBOX_WITH_CORP_CODE_SIGNING))
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha256-r3.cer,$(VBOX_PATH_ADDITIONS)/VBoxDrvInst.exe, \
+        extract-exe-signer-cert, 1)
+   VBOX_GA_CERT_ROOT_SHA2_R3 := vbox-sha256-r3-root.cer
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA2_R3),$(VBOX_PATH_ADDITIONS)/VBoxDrvInst.exe, \
+        extract-signer-root --self-signed-roots-from-system, 1)
+   VBOX_GA_CERT_ROOT_SHA2_R3_TS := vbox-sha256-r3-timestamp-root.cer
+   $(evalcall2 def_VBoxAdditionsInstCertFiles,$(VBOX_GA_CERT_ROOT_SHA2_R3_TS),$(VBOX_PATH_ADDITIONS)/VBoxDrvInst.exe, \
+        extract-timestamp-root --self-signed-roots-from-system, 1)
+  endif
+ endif
+endif
 
 #
@@ -179 +242 @@
 endif
 
-if defined(VBOX_SIGNING_MODE) && defined(VBOX_SIGN_ADDITIONS)
- ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
-VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/vbox-legacy-timestamp-ca.cer
- endif
- ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
-  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
-VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-versign-pca3-g5.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
-VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-digicert-assured-id.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(PATH_STAGE_BIN)/additions/root-digicert-high-assurance-ev.cer
-  endif
- endif
-endif
+VBOX_WINDOWS_ADDITIONS_OTHER_FILES += $(addprefix $(PATH_STAGE_BIN)/additions/, \
+        $(VBOX_GA_CERT_ROOT_SHA1) \
+        $(VBOX_GA_CERT_ROOT_SHA1_TS) \
+        $(VBOX_GA_CERT_ROOT_SHA2) \
+        $(VBOX_GA_CERT_ROOT_SHA2_TS) \
+        $(VBOX_GA_CERT_ROOT_SHA2_R3) \
+        $(VBOX_GA_CERT_ROOT_SHA2_R3_TS))
 
 VB_WIN_ADD_NSIS_ENV := \
@@ -225 +279 @@
         $(foreach lang,$(VBOX_INSTALLER_ADD_LANGUAGES),-E 'VBOX_BRAND_$(lang)_LICENSE_RTF=$(VBOX_BRAND_$(lang)_LICENSE_RTF)') \
         -E 'KBUILD_TYPE=$(KBUILD_TYPE)' \
-        -E 'KBUILD_TARGET_ARCH=$(KBUILD_TARGET_ARCH)'
+        -E 'KBUILD_TARGET_ARCH=$(KBUILD_TARGET_ARCH)' \
+       $(foreach base, VBOX_GA_CERT_ROOT_SHA1 VBOX_GA_CERT_ROOT_SHA2 VBOX_GA_CERT_ROOT_SHA2_R3 \
+       ,-E '$(base)=$(firstword $($(base)) none)' -E '$(base)_TS=$(firstword $($(base)_TS) none)')
 
 $(PATH_STAGE_BIN)/additions/VBoxWindowsAdditions-$(KBUILD_TARGET_ARCH).exe: \
@@ -263 +319 @@
                        $(if-expr defined(VBOX_SIGN_ADDITIONS) && defined(VBOX_SIGNING_MODE), \
                         '/DVBOX_SIGN_ADDITIONS=1' \
-                        $(if-expr defined(VBOX_WITH_GA_ROOT_CERTS_INCLUDED)            ,'/DVBOX_WITH_GA_ROOT_CERTS_INCLUDED=1',) \
-                        $(if-expr defined(VBOX_WITH_GA_ROOT_VERISIGN_G5)               ,'/DVBOX_WITH_GA_ROOT_VERISIGN_G5=1',) \
-                        $(if-expr defined(VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID)       ,'/DVBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID=1',) \
-                        $(if-expr defined(VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV),'/DVBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV=1',) \
-                                $(if-expr defined(VBOX_WITH_VBOX_LEGACY_TS_CA)                 ,'/DVBOX_WITH_VBOX_LEGACY_TS_CA=1') \
+                                $(if-expr defined(VBOX_WITH_VBOX_LEGACY_TS_CA),'/DVBOX_WITH_VBOX_LEGACY_TS_CA=1') \
                        ,) \
                         $(if $(VBOX_INSTALLER_ADD_LANGUAGES),'/DVBOX_INSTALLER_ADD_LANGUAGES=1') \

trunk/src/VBox/Additions/WINNT/Installer/VBoxGuestAdditionsW2KXP.nsh

@@ -161 +161 @@
 
 !ifdef VBOX_SIGN_ADDITIONS
-  !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5 | VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID | VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-
 ;;
-; Checks
-;
-; @param    pop1    The RDN of the certificate.
-; @param    pop2    Filename (cert dir) if we're shipping it (VBOX_WITH_GA_ROOT_CERTS_INCLUDED).
-; @param    pop3    The direct download URL link.
-; @param    pop4    The message to display if missing.
-;
-Function W2K_RootCertCheck
-  ;
-  ; Prolog: Save $0, $1, $2, $3 and move the parameters into them. Also save $4 for results.
-  ;
+; Run VBoxCertUtil to install the given certificate if absent on the system.
+;
+; @param    pop1    The certificate file.
+; @param    pop2    Short description.
+;
+Function   W2K_InstallRootCert
+  ; Prolog: Save $0 & $1 and move the parameters into them.
   Push    $0
-  Exch    4
+  Exch    2
   Push    $1
-  Exch    4
-  Push    $2
-  Exch    4
-  Push    $3
-  Exch    4
-  Pop     $0                                ; RDN
-  Pop     $1                                ; Filename
-  Pop     $2                                ; Direct URL
-  Pop     $3                                ; Missing message
-  Push    $4
-
-  ;
-  ; Run VBoxCertUtil to check.
-  ;
-  ${LogVerbose} "Checking if $0 is installed ..."
-  ${If} ${Silent}
-    nsExec::ExecToStack "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" root-exists $\"$0$\""
-    Exch 1
-    Pop  $4                                 ; output
-    ${LogVerbose} "$4"
-    Pop  $4                                 ; exit code
-  ${Else}
-    nsExec::ExecToLog   "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" root-exists $\"$0$\""
-    Pop  $4                                 ; exit code
-  ${EndIf}
-  ${LogVerbose} "Exit code: $4"
-
-  ;
-  ; VBoxCertUtil terminates with exit code 10 if not found, 0 if found and something else on failure.
-  ;
-  ${If} $4 == 0
-    ${LogVerbose} "Root certificate is present."
-  ${ElseIf} $4 == 10
-  !ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
-    ${LogVerbose} "Root certificate is _NOT_ present.  Installing it ..."
-    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-root $\"$INSTDIR\cert\$1$\"" 'non-zero-exitcode=abort'
-  !else
-    ${LogVerbose} "Root certificate is _NOT_ present.  The certificate can be downloaded from $2 and installed using '$INSTDIR\cert\VBoxCertUtil.exe'."
-    MessageBox MB_YESNO $3 /SD IDYES IDYES l_dont_abort
-    Abort "Missing signing root certificate $0"
-l_dont_abort:
-  !endif
-  ${ElseIf} $R4 <> 0
-    ${LogVerbose} "Unable to determine whether the root certificate was present. Assuming the worst."
-    Abort "Error when checking whether signing root certificate '$0' was present: $4"
-  ${EndIf}
-
-  ;
-  ; Epilog: Restore $0-$4 (we return nothing).
-  ;
-  Pop     $4
-  Pop     $3
+  Exch    2
+  Pop     $0                                ; Filename
+  Pop     $1                                ; Description.
+
+  ; Do the work.
+  ${LogVerbose} "Installing $1 ('$0') if missing ..."
+  ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-root --add-if-new $\"$INSTDIR\cert\$0$\"" 'non-zero-exitcode=abort'
+
+  ; Epilog: Restore $0 & $1 (we return nothing).
   Pop     $2
   Pop     $1
   Pop     $0
 FunctionEnd
-  !endif
 !endif
 
@@ -263 +213 @@
 !ifdef VBOX_SIGN_ADDITIONS
   ;
-  ; When installing signed GAs, we need to check whether the root certs are
-  ; present, we use VBoxCertUtil for this task.  This utility is also used
-  ; for installing missing root certs we can ship, like the special timestamp
-  ; root further down.
+  ; When installing signed GAs, we need to make sure that the associated root
+  ; certs are present, we use VBoxCertUtil for this task.
   ;
   ${LogVerbose} "Installing VBoxCertUtil.exe ..."
   SetOutPath "$INSTDIR\cert"
   FILE "$%PATH_OUT%\bin\additions\VBoxCertUtil.exe"
-  !ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
-  FILE "$%PATH_OUT%\bin\additions\vbox-legacy-timestamp-ca.cer"
-  !endif
-  !ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
-    !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
-  FILE "$%PATH_OUT%\bin\additions\root-versign-pca3-g5.cer"
-    !endif
-    !ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
-  FILE "$%PATH_OUT%\bin\additions\root-digicert-assured-id.cer"
-    !endif
-    !ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-  FILE "$%PATH_OUT%\bin\additions\root-digicert-high-assurance-ev.cer"
-    !endif
-  !endif
-
-  ; Now that the files are in place, do the checking.
-  !ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
-  Push $(VBOX_CA_CHECK_VERISIGN_G5)
-  Push "http://cacerts.digicert.com/pca3-g5.crt"
-  Push "root-versign-pca3-g5.cer"
-  Push "C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5"
-  Call W2K_RootCertCheck
-  !endif
-
-  !ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
-  Push $(VBOX_CA_CHECK_DIGICERT_ASSURED_ID)
-  Push "https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt"
-  Push "root-digicert-assured-id.cer"
-  Push "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Assured ID Root CA"
-  Call W2K_RootCertCheck
-  !endif
-
-  !ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-  Push $(VBOX_CA_CHECK_DIGICERT_HIGH_ASSURANCE_EV)
-  Push "https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt"
-  Push "root-digicert-high-assurance-ev.cer"
-  Push "C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV Root CA"
-  Call W2K_RootCertCheck
-  !endif
-
-  !ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
-  ;
-  ; Install the legacy timestamp CA if required/requested.
-  ;
-
-  ; If not explicitly specified, let the detected Windows version decide what to do.
-  ; On guest OSes < Windows 10 we always go for the PreW10 drivers and install our legacy timestamp CA.
+  !if  "$%VBOX_GA_CERT_ROOT_SHA1%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA1%"
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA1_TS%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA1_TS%"
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA2%"
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_TS%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA2_TS%"
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_R3%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA2_R3%"
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_R3_TS%" != "none"
+  FILE "$%PATH_OUT%\bin\additions\$%VBOX_GA_CERT_ROOT_SHA2_R3_TS%"
+  !endif
+
+  ;
+  ; Install the certificates if missing.
+  ;
+  !if  "$%VBOX_GA_CERT_ROOT_SHA1%" != "none"
+  Push "SHA-1 root"
+  Push "$%VBOX_GA_CERT_ROOT_SHA1%"
+  Call W2K_InstallRootCert
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA1_TS%" != "none"
+    !ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
+  ; If not explicitly specified, let the detected Windows version decide what
+  ; to do. On guest OSes < Windows 10 we always go for the PreW10 security
+  ; catalog files (.cat) and there we install our legacy timestamp CA by default.
   ${If}    $g_bInstallTimestampCA == "unset"
   ${AndIf} $g_strWinVersion != "10"
       StrCpy $g_bInstallTimestampCA "true"
   ${EndIf}
-
   ${If} $g_bInstallTimestampCA == "true"
-    ${LogVerbose} "Installing legacy timestamp CA certificate ..."
-    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" add-root $\"$INSTDIR\cert\vbox-legacy-timestamp-ca.cer$\"" 'non-zero-exitcode=log'
-    ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" display-all" 'non-zero-exitcode=log'
-  ${EndIf}
-  !endif ; VBOX_WITH_VBOX_LEGACY_TS_CA
-
+    Push "SHA-1 timestamp root"
+    Push "$%VBOX_GA_CERT_ROOT_SHA1_TS%"
+    Call W2K_InstallRootCert
+  ${EndIf}
+    !else
+  Push "SHA-1 timestamp root"
+  Push "$%VBOX_GA_CERT_ROOT_SHA1_TS%"
+  Call W2K_InstallRootCert
+    !endif ; VBOX_WITH_VBOX_LEGACY_TS_CA
+  !endif
+
+  ; XP sp3 and later can make use of SHA-2 certs. Windows 2000 cannot.
+  ; Note that VBOX_GA_CERT_ROOT_SHA1 may be a SHA-2 cert, the hash algorithm
+  ; refers to the windows signature structures not the certificate.
+  ${If} $g_strWinVersion != "2000"
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2%" != "none"
+    Push "SHA-2 root"
+    Push "$%VBOX_GA_CERT_ROOT_SHA2%"
+    Call W2K_InstallRootCert
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_TS%" != "none"
+    Push "SHA-2 timestamp root"
+    Push "$%VBOX_GA_CERT_ROOT_SHA2_TS%"
+    Call W2K_InstallRootCert
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_R3%" != "none"
+    Push "SHA-2 ring-3 root"
+    Push "$%VBOX_GA_CERT_ROOT_SHA2_R3%"
+    Call W2K_InstallRootCert
+  !endif
+  !if  "$%VBOX_GA_CERT_ROOT_SHA2_R3_TS%" != "none"
+    Push "SHA-2 ring-3 timestamp root"
+    Push "$%VBOX_GA_CERT_ROOT_SHA2_R3_TS%"
+    Call W2K_InstallRootCert
+  !endif
+  ${EndIf}
+
+  ; Log the certificates present on the system.
+  ${CmdExecute} "$\"$INSTDIR\cert\VBoxCertUtil.exe$\" display-all" 'non-zero-exitcode=log'
 !endif ; VBOX_SIGN_ADDITIONS
 

trunk/src/VBox/Additions/WINNT/tools/Makefile.kmk

@@ -44 +44 @@
 
 #
-# Install all the certificates we use here.
-#
-INSTALLS += AdditionsInstCertFiles
-AdditionsInstCertFiles_TEMPLATE = VBoxGuestR3Exe
-AdditionsInstCertFiles_SOURCES  =
-AdditionsInstCertFiles_CLEAN    =
-ifdef VBOX_SIGNING_MODE
- define def_VBoxAdditionsInstCertFiles
-  AdditionsInstCertFiles_SOURCES += $$(AdditionsInstCertFiles_0_OUTDIR)/$(1)=>$1
-  AdditionsInstCertFiles_CLEAN   += $$(AdditionsInstCertFiles_0_OUTDIR)/$(1)
-  $$$$(AdditionsInstCertFiles_0_OUTDIR)/$(1): $$(2) | $$$$(dir $$$$@) $(VBOX_RTSIGNTOOL)
-        $(QUIET)$(RM) -f -- "$$@"
-        $(VBOX_RTSIGNTOOL) extract-exe-signer-cert --signature-index $3 --exe "$$<" --output "$$@" --der
- endef
-
- if !defined(VBOX_CERTIFICATE_SHA2_SUBJECT_NAME) && !$(intersects win all 1,$(VBOX_WITH_CORP_CODE_SIGNING))
-  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys,0)
- else
-  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha1.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys,0)
-  $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha256.cer,$(VBOX_PATH_ADDITIONS)/VBoxGuest.sys,1)
-  if $(intersects win_planb,$(VBOX_WITH_CORP_CODE_SIGNING))
-   $(evalcall2 def_VBoxAdditionsInstCertFiles,vbox-sha256-r3.cer,$(VBOX_PATH_ADDITIONS)/VBoxCertUtil.exe,1)
-  endif
- endif
- ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
-AdditionsInstCertFiles_SOURCES += $(VBOX_LEGACY_TS_CA_FILE)=>vbox-legacy-timestamp-ca.cer
- endif
- ifdef VBOX_WITH_GA_ROOT_CERTS_INCLUDED
-  ifdef VBOX_WITH_GA_ROOT_VERISIGN_G5
-AdditionsInstCertFiles_SOURCES += \
-        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-VeriSignPca3G5-18dad19e267de8bb4a2158cdcc6b3b4a.crt=>root-versign-pca3-g5.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_ASSURED_ID
-AdditionsInstCertFiles_SOURCES += \
-        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-DigiCertAssuredIDRootCA-0ce7e0e517d846fe8fe560fc1bf03039.crt=>root-digicert-assured-id.cer
-  endif
-  ifdef VBOX_WITH_GA_ROOT_DIGICERT_HIGH_ASSURANCE_EV
-AdditionsInstCertFiles_SOURCES += \
-        $(VBOX_PATH_SRC_CERTIFICATES)/CaRoot-DigiCertHighAssuranceEVRootCA-02ac5c266a0b409b8f0b79f2ae462577.crt=>root-digicert-high-assurance-ev.cer
-  endif
- endif
-endif
-
-#
 # Install the registry file for bypassing the Windows 11 installer checks.
 #