First build the binaries, obvi. Pay close attention here to the Cmake invocation flags. We specify the MultiThreaded to ensure there's no requirement on a linkage of MSVCRT, and further build the tests to ensure they're mostly passing locally.
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake -DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded -DOSQUERY_BUILD_TESTS=ON -G "Visual Studio 16 2019" -A x64 -T v141 ..\..\ -- Selecting Windows SDK version 10.0.18362.0 to target Windows 10.0.19041.
-- osquery version: 4.4.0
-- Build type:
-- Shared libraries: OFF
-- Importing: source/boost
-- Importing: source/bzip2
-- Importing: source/gflags
...
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24
...
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 --target run_tests
...
Next up, for the MSI, we can sign the binaries:
# "Dot source" the `osquery_utils.ps1` script:
PS C:\Users\Nicholas\work\repos\osquery> . .\tools\deployment\chocolatey\tools\osquery_utils.ps1
# I use a helper function for setting the authenticode signature:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> function Set-AuthenticodeSignature() {
param(
[string] $binpath = '',
[string] $certpath = '',
[string] $certpw = ''
)
if (-not (Get-Command 'signtool.exe' -ErrorAction SilentlyContinue)) {
Write-Host '[-] signtool.exe was not found in system path' -ForegroundColor Red
exit
}
$signtool = (Get-Command 'signtool.exe').Source
$signtool_args = @(
'sign',
"/f $certpath",
"/p `"$certpw`"",
'/tr http://timestamp.digicert.com',
'/td sha256',
'/fd sha256',
"$binpath"
)
$null = Start-OsqueryProcess $signtool $signtool_args $false
}
# Now you can actually sign the binaries. I have my certs on a bitlocker encrypted thumb drive:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryd.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryi.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'
# Next, build the MSI and sign it:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 --target package
Microsoft (R) Build Engine version 16.3.2+e481bbf88 for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.
Generating ../../test_configs/aws
Generating ../test_configs/specs/darwin
Generating .
Generating ../../test_configs/test.config.d
...
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery-4.4.0.msi' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'
# That's it, distribute the signed MSI
# You can check your work by verifying that the MSI has a digital signature
# and further that after you install from said MSI, both the osqueryd.exe and osqueryi.exe
# binaries have digital signatures. I like to do this process both from an upgrade
# and clean install stand point.
Building and signing the osquery Chocolatey packages:
Run the cmake generation with the nupkg build target, again pay attention to cmake variables, and build the binaries:
Lastly, verify the install by installing the choco package. Again I like to verify both the clean install and upgrade workflows:
PS C:\Users\Nicholas\Desktop\osquery-release-bins\osquery-4.4.0> choco install -yf --version 4.4.0 osquery -s . --params='/InstallService'
Chocolatey v0.10.15
Installing the following packages:
osquery
By installing you accept licenses for the packages.
osquery v4.4.0 (forced)
osquery package files install completed. Performing other installation steps.
C:\Program Files\osquery\log
True
osqueryd
PATH environment variable does not have C:\Program Files\osquery in it. Adding...
Environment Vars (like PATH) have changed. Close/reopen your shell to
see the changes (or in powershell/cmd.exe just type `refreshenv`).
ShimGen has successfully created a shim for osqueryi.exe
ShimGen has successfully created a shim for osqueryd.exe
The install of osquery was successful.
Software install location not explicitly set, could be in package or
default install location if installer.
Chocolatey installed 1/1 packages.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
This should install osquery as a system service, and you should see the digital signature on both the osqueryi and osqueryd binaries, and the service should be running
PS C:\Users\Nicholas\Desktop\osquery-release-bins\osquery-4.4.0> Get-service osqueryd
Status Name DisplayName
------ ---- -----------
Running osqueryd osqueryd
Nice. I updated added this to https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a