|
|
; crypto.txt;; This data file shows all files that require CSP signing or are involved with; the high encryption pack. It is used by the following scripts to drive processing.; 1) public\tools\crypto.cmd (TS cert stuffing, CSP-signing, encrypted installers); 2) bldrules\ispu.cmd (encryption pack generation); 3) encryption pack propagation script; 4) miscellaneous verification scripts;; Need Test sign; Path rela- Needs Needs on EP Modify on these; tive to Encrypted Local- to be to be Add TS Prod releas for platforms;File %binaries% Installer izable? MACd? Signd? Cert? Type share? Intl? where 5=yes;[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11];----------- ---------- ------------ ------- ------ ------ ------ ---- ------ ------ ---------
; 128-bit binariesdssenh.dll . instdss5.dll no yes yes no wks no no i386:ia64:amd64ipsec.sys . instips5.dll no no no no wks no can -lsasrv.dll . instlsa5.dll yes no no no wks no yes -ndiswan.sys . instndi5.dll no no no no wks no can -rsaenh.dll . instrsa5.dll yes yes yes no wks yes no i386:ia64:amd64
; 40/56-bit binariesgpkcsp.dll . - no no yes no wks no no i386:ia64:amd64sccbase.dll . - no no yes no wks no no i386:ia64:amd64sccsccp.dll . - no no yes no wks no no i386:ia64:amd64slbcsp.dll . - no no yes no wks no no i386:ia64:amd64
; additional high encryption pack filesencpack.sed encpack - yes no no no - no yes -encpack.inf encpack - yes no no no wks no yes -enceula.txt noexport - yes no no no wks yes yes -encread.txt noexport - yes no no no wks yes yes -
; generated high encryption pack self extracting exeencpack.exe noexport - no no no no wks yes yes -
; Add TS certificate to Terminal Services Binariestermdd.sys . - no no no yes srv no can -tdasync.sys . - no no no yes srv no can -tdipx.sys . - no no no yes srv no can -tdnetb.sys . - no no no yes srv no can -tdpipe.sys . - no no no yes srv no can -tdspx.sys . - no no no yes srv no can -tdtcp.sys . - no no no yes srv no can -tsddd.dll . - no no no yes srv no can -rdpdd.dll . - no no no yes srv no can -rdpwd.sys . - no no no yes srv no can -rdpwsx.dll . - no no no yes srv no can -
;; Column Key;; [1] Files involved with crypto signing and/or the high encryption pack encpack.exe creation.; [2] Path to file after binplacing it, relative to %binaries%.; [3] Encrypted installers contain an encrypted version of their associated 128-bit binary as; a resource; they ship in all languages of the product, but will only install their; 128-bit binary if the trigger file rsaenhs.dll exists on the machine. The trigger; file gets installed upon running encpack.exe. There is a one-to-one correspondence; between 128-bit files and encrypted installers.; [4] Attribute of 128-bit file, not the encrypted installer; version-stamp only ==> no; [5] Crypto MACed (an internal cryptographic checksum requred by FIPS). maccsp is run on image.; [6] Crypto signed (not to be confused with PRS/catalog signing). Yes implies the following:; ==> Cryptographic signature added to the image by one of the following methods:; a) test signature via US build process public\tools\crypto.cmd (from enigma server); b) real signature via crypto team for final build (from the bbn box in the vault); ==> This files is either a CSP (cryptographic service provider) or security package; ==> International languages need to release these files binary-identical to what US releases; Change column [11]'s fields to turn on/off test signing on a per-platform basis. Any; file requiring a signature, no matter how it gets signed, needs to have the value 'yes'; in this column.; [7] Terminal services certificate added to image. Verify with idw\tscrtvfy.exe.; [8] Applicable product types.; srv ==> bla, sbs, srv, ent, dtc; installed via tsocenc.inf; they're for terminal services; wks ==> wks, per, bla, sbs, srv, ent, dtc; installed via encinst.inf; - ==> not applicable to any product, perhaps used to generate sfx; [9] Files that need to be on the encryption pack release share.; yes ==> needed for media or test installs; the media creation script is orville\razzle -p setup\bom\encpack.bat; no ==> won't hurt to be present, may be useful for testing purposes;[10] Derived info from other columns to clarify what's needed for international languages.; Don't have scripts use this column; use the other columns directly instead.; no <== the file gets crypto signed; can <== the file does not get crypto signed or localized so intl langs have no restrictions; yes <== the file does not get crypto signed AND the file gets localized or is; necessarily rebuilt for intl;[11] This column only applies to files that require signing ([6]==yes).; Valid values: any combination of the following: { i386,amd64,ia64 }; Test sign binaries on the specified platforms via signcsp.exe and enigma. Otherwise,; these files need to be checked in already vault-signed with real signatures for RTM.; Platforms need to be colon-delimited with no spaces.; Note that when checking in vault-signed files, the idea is that nothing modifies them; afterward.; a) avoid rebasing by adding to public\tools\never.reb; b) let the perf team know to avoid re-optimizing; c) crypto.cmd already marks the file not-to-be-rebound; d) these files should not be localized, independent of test or real signing.
|
