| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
We had reports of it failing.
Reported-by: Ben Yoder <byoder@moltzconstructors.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Just seems a bit risky.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Otherwise, really long lines might mangle eachother mid-way.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
| |
We'll keep signing with EV. But this is not a security check. Anybody
can add an EV signature. It's not very expensive to do. And we've never
checked that it's actually _our_ signature. For that, there's the normal
ed25519-based mechanism, which is a lot nicer and faster.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we're also bumping the PE subsystem header to 10.0, this means we
need a _load_config with the proper flags. So there's some work to be
done here.
This also means bumping LLVM and Go builds. In the case of Go, the patch
is still pending: https://go-review.googlesource.com/c/go/+/756680 , so
it's a custom build.
Remove lots of compatibility code and hacks. Also update the installer
to display a useful message.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
Also, make the name more confusing, no match the option, so that it
can initialize to false. This might be controversial; there are
arguments on both sides.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
Existing code signing was hard-coded to use a locally installed
certificate (hardware security dongles included). However, signtool.exe
is extensible to allow any kind of digest signing plugin with /dlib and
/dmdf switches. This is used for cloud-based code signing (e.g.
Microsoft Trusted Signing).
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
The version 3.14.0.4118 we were using is no longer available for
download.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deploying WireGuard MSI using Microsoft Endpoint Manager (aka MS Intune)
falls short with poor Microsoft Endpoint Manager support: no ARM64
support, requires multiple per-architecture deployments...
Fetcher proves super-useful for automating WireGuard install. It
contains platform selection logic, MSI download, integrity check...
However, automated installation is an unattended process and the
wireguard-installer.exe must not block the process for any user prompts.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Current binaries overflow into `wchar_t total_bytes_str[22]`, which is
not used anywhere after the overflow, so no harm done thankfully.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
On ancient Windows, we must opt-in to using TLS 1.2. Otherwise it only
allows for TLS 1.0. And of course there's no TLS 1.3 support there at
all.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
In anticipation of upcoming wintun changes.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Doesn't matter for us, but still probably a good idea. This has also
been reported upstream.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Saves 4k in the binary.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It looks like advapi32.dll loads cryptbase.dll because RtlGenRandom is
forwarded to it, and cryptbase.dll isn't in knowndlls. So, even though
we haven't done anything wrong by importing advapi32.dll statically, the
surprising forwarding behavior means that this is a disaster. At the
same time, some UI-related system modules wind up calling loadlibraryex with
default arguments, so again, even though linking to things like
user32.dll and such statically is fine, microsoft is doing the wrong
thing inside of them. Work around the first issue by loading
advapi32.dll (and others, just for good measure) delayed, and work
around the latter by gimping the dll search path.
Reported-by: Stefan Kanthak <stefan.kanthak@nexgo.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
Cleaner, better vetted, faster. Based on fiat.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
This goes against user choice, but it's also required to get Windows 7
users upgrading again.
Reported-by: /u/tarakan1983 on Reddit
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
There's only one 'h' in the search string, so the efficiency is about
the same.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Some people might have the right setupapi.dll without actually having
installed the quickfix. Search for a distinguishing feature instead.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
...in the source code.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
| |
When MSI is upgrading previous version, the RemoveExistingProducts
shouldn't kill our processes we just installed and started.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
|
|
|
|
| |
On upgrades from <=0.1.1 there's a short window, where new tunnel
service may delete the Wintun 0.8 driver from the store, while 0.1.1
removal is about to do the same, and fails with "File not found".
The computer ended up with the old WireGuard installed.
Signed-off-by: Simon Rozman <simon@rozman.si>
|
| |
|
|
|
|
| |
This causes more problems than it solves.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
It's actually not required, and we don't do it in updater.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
Our YubiHSM signature is much stronger than the junky authenticode one,
but still, it can't hurt. This also hedges against anti-virus in the
event that we forget to sign it -- A/V will inspect whatever code the
fetcher executes, and so we only want to execute authenticode-signed
MSIs, to avoid training their heuristics.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
This is returned by our custom action's method to launch wireguard and
abort.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With the recently introduced wireguard-installer.exe an issue in MSI
internal caching appeared. With the temporary MSI file used at install
time gone, the MSI was unable to load our custom actions in the
reinstall attempt.
Rather than attempting to reinstall the product and fail, the MSI was
upgraded to launch GUI early in the reinstall attempt and cancel the
execute sequence then.
Signed-off-by: Simon Rozman <simon@rozman.si>
|