tis-verif-secureboot-uefi-ca-2023 icon

tis-verif-secureboot-uefi-ca-2023

Paquet d’installation silencieuse pour tis-verif-secureboot-uefi-ca-2023

12-1
Build LUTI VirusTotal

  • package: tis-verif-secureboot-uefi-ca-2023
  • name: tis-verif-secureboot-uefi-ca-2023
  • version: 12-1
  • maintainer: Simon Fonteneau, Kevin Cherel
  • licence: ©
  • target_os: windows
  • architecture: all
  • signature_date:
  • size: 7.31 Ko

package           : tis-verif-secureboot-uefi-ca-2023
version           : 12-1
architecture      : all
section           : base
priority          : optional
name              : tis-verif-secureboot-uefi-ca-2023
categories        : 
maintainer        : Simon Fonteneau, Kevin Cherel
description       : Ce script permet de contrôler que le démarrage sécurisé est activé et que le certificat Windows UEFI CA 2023 est bien présent dans la base UEFI.
depends           : 
conflicts         : 
maturity          : PROD
locale            : 
target_os         : windows
min_wapt_version  : 
sources           : 
installed_size    : 
impacted_process  : 
description_fr    : 
description_pl    : Ten skrypt sprawdza, czy funkcja Secure Boot jest włączona oraz czy certyfikat Windows UEFI CA 2023 jest obecny w bazie UEFI.
description_de    : Dieses Skript überprüft, ob Secure Boot aktiviert ist und ob das Zertifikat Windows UEFI CA 2023 in der UEFI-Datenbank vorhanden ist.
description_es    : Este script verifica que Secure Boot esté habilitado y que el certificado Windows UEFI CA 2023 esté presente en la base de datos UEFI.
description_pt    : Este script verifica se o Secure Boot está ativado e se o certificado Windows UEFI CA 2023 está presente na base de dados UEFI.
description_it    : Questo script verifica che Secure Boot sia abilitato e che il certificato Windows UEFI CA 2023 sia presente nel database UEFI.
description_nl    : Dit script controleert of Secure Boot is ingeschakeld en of het certificaat Windows UEFI CA 2023 aanwezig is in de UEFI-database.
description_ru    : Этот скрипт проверяет, включена ли функция Secure Boot и присутствует ли сертификат Windows UEFI CA 2023 в базе данных UEFI.
audit_schedule    : 
editor            : 
keywords          : 
licence           : ©
homepage          : 
package_uuid      : 63ca4881-2737-4063-9d60-e8175b23342a
valid_from        : 
valid_until       : 
forced_install_on : 
changelog         : 
min_os_version    : 
max_os_version    : 
icon_sha256sum    : 03c0491e556f63f98f6ca32ec6beb1894fac54fb804d53e6086e4a26c0ac7491
signer            : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date    : 2026-02-27T21:06:20.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature         : JlOT1OXAS3oRbNS6NDAHq8FOE5WKxckzCUfaxC0jmOi13fCdDHeFKBNkKl+KaOcDGKz2bc5yC0r2iCSvTJWbacqZybJrcri7WqG/09gOiOIOlld4zXfMLVMFAo3tw0oiw6G8R6DS/jL6CiNE6KS6PHt+OD4O9zFDtnAeM5bhOw4zPAF7ENCmlZwVR0sdyrd+s96fAdr2VE9IMo7RkWP9Uc4JEnYQpdvSvXxfR3qvJcF6Fl6+TVf3NBaULfS3FQsjLBa0wkqCZqTkYVAc1B33+GyHubqHHdOD0OabLvDrwamZ+ESpw2ape6DFDeri4y3Y6kheII/osQGmV9fZTxI02g==

# -*- coding: utf-8 -*-
from setuphelpers import *
import os
import shutil
import ctypes
import waptlicences
from ctypes import wintypes

kernel32 = ctypes.WinDLL("kernel32", use_last_error=True)

FindFirstVolumeW = kernel32.FindFirstVolumeW
FindFirstVolumeW.argtypes = [wintypes.LPWSTR, wintypes.DWORD]
FindFirstVolumeW.restype = wintypes.HANDLE

FindNextVolumeW = kernel32.FindNextVolumeW
FindNextVolumeW.argtypes = [wintypes.HANDLE, wintypes.LPWSTR, wintypes.DWORD]
FindNextVolumeW.restype = wintypes.BOOL

FindVolumeClose = kernel32.FindVolumeClose
FindVolumeClose.argtypes = [wintypes.HANDLE]
FindVolumeClose.restype = wintypes.BOOL

GetVolumeInformationW = kernel32.GetVolumeInformationW
GetVolumeInformationW.argtypes = [
    wintypes.LPCWSTR,  # lpRootPathName
    wintypes.LPWSTR, wintypes.DWORD,  # lpVolumeNameBuffer, nVolumeNameSize
    ctypes.POINTER(wintypes.DWORD),   # lpVolumeSerialNumber
    ctypes.POINTER(wintypes.DWORD),   # lpMaximumComponentLength
    ctypes.POINTER(wintypes.DWORD),   # lpFileSystemFlags
    wintypes.LPWSTR, wintypes.DWORD,  # lpFileSystemNameBuffer, nFileSystemNameSize
]
GetVolumeInformationW.restype = wintypes.BOOL

SetVolumeMountPointW = kernel32.SetVolumeMountPointW
SetVolumeMountPointW.argtypes = [wintypes.LPCWSTR, wintypes.LPCWSTR]  # mountPoint, volumeName
SetVolumeMountPointW.restype = wintypes.BOOL

DeleteVolumeMountPointW = kernel32.DeleteVolumeMountPointW
DeleteVolumeMountPointW.argtypes = [wintypes.LPCWSTR]  # mountPoint
DeleteVolumeMountPointW.restype = wintypes.BOOL


def install():
    registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SecureBoot','AvailableUpdates',64)
    run_task(r'\Microsoft\Windows\PI\Secure-Boot-Update')

def audit():

    result={}

    try:
        result['SecureBootUEFI'] = run_powershell('Confirm-SecureBootUEFI')
    except:
        result['SecureBootUEFI'] = False

    list_key = ["UEFICA2023Status","WindowsUEFICA2023Capable","UEFICA2023Error","ConfidenceLevel","AvailableUpdates"]


    for u in list_key :
        result[u] =  registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", u)




    mount_dir = r"C:\_esp_mount"
    mkdirs(mount_dir)
    candidates = []

    for vol in iter_volumes():
        fs = get_fs_type(vol)
        if fs and fs.upper() == "FAT32":
            candidates.append(vol)

    name_sign = ""
    finger_sing = ""
    for vol in candidates:
        try:
            mount_volume_to_dir(vol, mount_dir)
            p1 = os.path.join(mount_dir, "EFI", "Boot", "bootx64.efi")

            name_sign, finger_sing = waptlicences.check_msi_signature(p1)

        finally:
            unmount_dir(mount_dir)
            if os.path.isdir(mount_dir) and not os.listdir(mount_dir):
                os.rmdir(mount_dir)

    result['SignerName'] = name_sign
    result['SingerFingerPrint'] = finger_sing

    try:
        result['CA_2023_in_SecureBootUEFI_DB'] = run_powershell(r"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'")
    except:
        result['CA_2023_in_SecureBootUEFI_DB'] = False

    WAPT.write_audit_data_if_changed("verif-secureboot-uefi-ca-2023", "verif-secureboot-uefi-ca-2023", result)

    if registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", "WindowsUEFICA2023Capable") == '2':
        print("The certificate is present and the PC is already booting with the new 2023-signed boot manager.")
        return "OK"

    elif registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", "WindowsUEFICA2023Capable") == '1':
        print("The certificate is present in the Secure Boot database.")
        return "WARNING"

    else:
        print("The registry key is missing or incorrect.")
        return "ERROR"



def _raise_last_error(msg: str):
    err = ctypes.get_last_error()
    raise OSError(err, f"{msg} (WinError={err})")


def iter_volumes():
    buf = ctypes.create_unicode_buffer(1024)
    h = FindFirstVolumeW(buf, len(buf))
    if h == wintypes.HANDLE(-1).value or h == 0:
        _raise_last_error("FindFirstVolumeW failed")

    try:
        while True:
            vol = buf.value  # like \\?\Volume{GUID}\
            yield vol
            ok = FindNextVolumeW(h, buf, len(buf))
            if not ok:
                break
    finally:
        FindVolumeClose(h)


def get_fs_type(volume_guid_path: str) -> str | None:
    fs_buf = ctypes.create_unicode_buffer(64)
    name_buf = ctypes.create_unicode_buffer(256)
    serial = wintypes.DWORD()
    max_comp = wintypes.DWORD()
    flags = wintypes.DWORD()

    ok = GetVolumeInformationW(
        volume_guid_path,
        name_buf, len(name_buf),
        ctypes.byref(serial),
        ctypes.byref(max_comp),
        ctypes.byref(flags),
        fs_buf, len(fs_buf),
    )
    if not ok:
        return None
    return fs_buf.value


def mount_volume_to_dir(volume_guid_path: str, mount_dir: str):
    mp = mount_dir
    if not mp.endswith("\\"):
        mp += "\\"
    os.makedirs(mp, exist_ok=True)
    ok = SetVolumeMountPointW(mp, volume_guid_path)
    if not ok:
        _raise_last_error(f"SetVolumeMountPointW failed for {volume_guid_path}")


def unmount_dir(mount_dir: str):
    mp = mount_dir
    if not mp.endswith("\\"):
        mp += "\\"
    ok = DeleteVolumeMountPointW(mp)
    if not ok:
        _raise_last_error(f"DeleteVolumeMountPointW failed for {mount_dir}")


38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
7271a9ba8f2f7e5a8a78ff39f32d36136f4931ff4ee108b7b5e82da2c4d497b3 : WAPT/control
03c0491e556f63f98f6ca32ec6beb1894fac54fb804d53e6086e4a26c0ac7491 : WAPT/icon.png
2ee541317500f912f0a1c2015d01c2321c8a54acbcc1f6892778f812c6496bc4 : luti.json
357509da13520ead05ac416ee7b8276258c1d44eee73560358c6b4539938063b : setup.py