This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
appnote:etoken [2016/05/10 22:41] mcb30 |
appnote:etoken [2021/02/22 16:50] mcb30 |
||
---|---|---|---|
Line 50: | Line 50: | ||
==== Toolchain ==== | ==== Toolchain ==== | ||
- | {{ :clipart:chain.jpeg?300x144|A (tool)chain}} | + | {{ :clipart:chain.jpeg?300x180|A (tool)chain}} |
To sign UEFI .cab files for submission to Microsoft you will need to also install | To sign UEFI .cab files for submission to Microsoft you will need to also install | ||
* ''[[https://github.com/rhinstaller/pesign|pesign]]'' | * ''[[https://github.com/rhinstaller/pesign|pesign]]'' | ||
- | * ''[[http://ohnopub.net/~ohnobinki/lcab/|lcab]]'' | + | * ''[[http://ftp.gnome.org/pub/GNOME/sources/gcab|gcab]]'' |
* ''[[https://www.openssl.org|openssl]]'' | * ''[[https://www.openssl.org|openssl]]'' | ||
* ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | * ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | ||
Line 72: | Line 72: | ||
==== Microsoft Hardware Dev Center ==== | ==== Microsoft Hardware Dev Center ==== | ||
- | You will need to sign up for an account at the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]]. The sign-up process will require you to sign a copy of ''[[http://go.microsoft.com/fwlink/?LinkId=393250|winqual.exe]]'': you can do this using | + | You will need to sign up for an account at the [[https://partner.microsoft.com|Microsoft Partner Center]]. The sign-up process will require you to sign a copy of ''[[http://go.microsoft.com/fwlink/?LinkId=393250|winqual.exe]]'': you can do this using |
pesign -s -i winqual.exe -o winqual-signed.exe -t "Fen Systems Ltd." -c "Fen Systems Ltd." | pesign -s -i winqual.exe -o winqual-signed.exe -t "Fen Systems Ltd." -c "Fen Systems Ltd." | ||
Line 82: | Line 82: | ||
To create a UEFI signing submission, you must create a ''.cab'' file containing your (unsigned) ''.efi'' files. For example, you can create a ''submission.cab'' file containing ''[[http://boot.ipxe.org/ipxe.efi|ipxe.efi]]'' and ''[[http://boot.ipxe.org/snponly.efi|snponly.efi]]'' using | To create a UEFI signing submission, you must create a ''.cab'' file containing your (unsigned) ''.efi'' files. For example, you can create a ''submission.cab'' file containing ''[[http://boot.ipxe.org/ipxe.efi|ipxe.efi]]'' and ''[[http://boot.ipxe.org/snponly.efi|snponly.efi]]'' using | ||
- | lcab -n -q ipxe.efi snponly.efi submission.cab | + | gcab -n -c submission.cab ipxe.efi snponly.efi |
You can sign the ''submission.cab'' file using | You can sign the ''submission.cab'' file using | ||
- | osslsigncode -pkcs11engine /usr/lib64/openssl/engines/engine_pkcs11.so \ | + | osslsigncode -pkcs11engine /usr/lib64/openssl/engines/pkcs11.so \ |
-pkcs11module /usr/lib64/libeToken.so -certs codesigning.crt \ | -pkcs11module /usr/lib64/libeToken.so -certs codesigning.crt \ | ||
-h sha256 -askpass -t http://timestamp.digicert.com \ | -h sha256 -askpass -t http://timestamp.digicert.com \ | ||
Line 96: | Line 96: | ||
==== Submitting to Microsoft ==== | ==== Submitting to Microsoft ==== | ||
- | Log in to the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]] and choose "Create UEFI submission". You will unfortunately need to use Windows to upload the ''submission-signed.cab'' file, since the submission page uses Silverlight instead of a standard HTML form.((Microsoft is special.)) | + | Log in to the [[https://partner.microsoft.com/en-us/dashboard/hardware/filesign|Microsoft Partner Center]] and choose "Submit UEFI". |
==== Waiting ==== | ==== Waiting ==== |