>>> Den 19. desember 2008 kl. 15:27, i meldingen
<494baf50.5000...@nikolaenko.ru>,
skrev "Dennis P. Nikolaenko" <den...@nikolaenko.ru>:
> Svein Hansen wrote:
>>
>>>>> Den 19. desember 2008 kl. 14:36, i meldingen
>>>>>
>> <494ba351.8060...@nikolaenko.ru>,
>> skrev "Dennis P. Nikolaenko" <den...@nikolaenko.ru>:
>>
>>> Svein Hansen wrote:
>>>
>>>> DetailPrint "We are running on a 64-bit system."
>>>> +
>>>> + SetRegView 64
>>>> + WriteRegStr HKLM "Software\Microsoft\Windows
>>>> NT\CurrentVersion\AppCompatFlags\Layers"
>>>> "$INSTDIR\bin\openvpn-gui-1.0.3.exe" "RUNASADMIN"
>>>> + SetRegView 32
>>>>
>>>> SetOutPath "$INSTDIR\bin"
>>>>
>>>> @@ -442,6 +446,8 @@
>>>> tap-32bit:
>>>>
>>>> DetailPrint "We are running on a 32-bit system."
>>>> + WriteRegStr HKLM "Software\Microsoft\Windows
>>>> NT\CurrentVersion\AppCompatFlags\Layers"
>>>> "$INSTDIR\bin\openvpn-gui-1.0.3.exe" "RUNASADMIN"
>>>> +
>>>>
>>>> SetOutPath "$INSTDIR\bin"
>>>> File "${GEN}\tapinstall\i386\tapinstall.exe"
>>>>
>>>> This is maybe not the best way to do it...but it works..
>>>>
>>> IMO a better option would be to include a manifest instead of
>>>
>> polluting
>>
>>> application compatibility database in registry.
>>> --
>>> Dennis
>>>
>>
>> I have tried to add a manifest, but that creates a new issue about
>> signing.
>> (I'm clearly not an expert on manifests...)
>>
>> * openvpn-gui-1.0.3.exe.manifest:
>> Executable: openvpn-gui-1.0.3.exe
>> Manifest:openvpn-gui-1.0.3.exe.manifest
>> openvpn-gui manifest file:
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <assembly xmlns="urn:schemas-microsoft-com:asm.v1"
>> manifestVersion="1.0">
>> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
>> <security>
>> <requestedPrivileges>
>> <requestedExecutionLevel
>> level="requireAdministrator"
>> uiAccess="false"/>
>> </requestedPrivileges>
>> </security>
>> </trustInfo>
>> </assembly>
>>
>> Then:
>> C:\manifest>mt.exe -manifest openvpn-gui-1.0.3.exe.manifest
>> -outputresource:openvpn-gui-1.0.3.exe
>> Microsoft (R) Manifest Tool version 5.2.3790.2075
>> Copyright (c) Microsoft Corporation 2005.
>>
>> Now openvpn-gui-1.0.3.exe is elevated to "requireAdministrator".
>>
>> But, when starting the GUI I get:
>> An unidentified program wants access to your computer
>> Unidentified Publisher
>> -> Cancel
>> -> Allow
> You should get the same (orange color) error, when building the
binary
> yourself, unless you take it from the official distribution and you
seem
> to have taken it from there...
> If you sign the binary with a code signing certificate which is is in
> turn signed by a trusted root CA, you would get a "good" UAC prompt
for
> a signed application. You have to buy a code signing certificate from
a
> preinstalled CA or install self-generated CA on all you client
machines.
> From a signing point view, yes app compat solution is better as it
does
> not require any additional "acrobatics". Just ensure that app compat
> entry is removed when OpenVPN GUI is uninstalled.
> --
> Dennis
Thanks for the enlightenment :-)
Maybe this is something for the OpenVPN developers to dive into?
There must be several sysadmins that would like to see this included in
the
official distribution. Or?
One vote from me..
Svein Hansen
