Add notes on creating a self signed build

[seanbudd]

After this PR, update https://github.com/nvaccess/nvda/wiki/UsingASelfSignedCertificate to refer to this document

Link to issue number:

None

Summary of the issue:

Without a signed NVDA build, certain features cannot be tested.
Only NV Access have the ability to sign a build with the NV Access certificate.
Other developers who wish to create a signed build to test NVDA must sign the build with their own certificate.
There is no documentation on creating a self-signed build.

Description of user facing changes

Added notes on creating and testing a self-signed build.

Description of development approach

Add notes, tested creating a self-signed build.

Based on these instructions: https://docs.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing

Testing strategy:

N/A

Known issues with pull request:

N/a

Change log entries:

N/a

Code Review Checklist:

• Pull Request description:
  • description is up to date
  • change log entries
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• API is compatible with existing add-ons.
• Documentation:
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English

[lukaszgo1]

The documentation here seems to be much more complex than the one on our wiki. The additional advantage of the tutorial I've linked to is that it does not require installation of the additional PowerShell modules and relies on the tools which comes with Visual Studio by default.

[seanbudd]

@lukaszgo1 - I would argue that the steps in that wiki are out of date.
The steps in this PR are from recent Microsoft documentation.
The only change is that it may be worth using a simpler way of adding the certificate.
I'm going to simplify these steps to use Import-PfxCertificate.

[feerrenrut]

Additionally, I think it would be worth taking the warning intro paragraph from the wiki page:

You can also generate a self-signed certificate. However, copies of NVDA signed by a self-signed certificate will not function on systems where it is not installed as a trusted root certificate, so this is only suitable for personal use.

Following are instructions on how to generate and install a self-signed certificate. This is not supported and should only be attempted by developers who know what they are doing and are aware of the risks. If the private key is compromised, this poses a serious security risk to your system. You have been warned. Please do not ask further questions on this topic.

It might be helpful to extend this with why you might want to do this. E.G. for testing NVDA in situations that require a signed, trusted install:

• Accessing processes running as administrator
• ...

Ideally this will link to another document that explains that need in more detail. This self signed cert doc is a "how-to guide", the other doc would be an "explainer".

[lukaszgo1]

The same not found issue occurs for me with Import-PfxCertificate. After some googling it turns out that availability of these functions depends on the version of Windows in use rather than version of PowerShell. While for generating certificates it is reasonable to assume developers are on an uptodate OS, the same cannot be said about importing certificate - it is sometimes necessary to test something with a self signed build on older versions of Windows which are still supported by NVDA, where this way of importing would fail. That was IMO the main advantage of the old method described on the wiki - it is OS agnostic and still works.

[seanbudd]

As asked in #13987 (comment), have you installed the prerequisites? They may require a Windows restart to become available.

According to PKI:

This module can run on any of the specified operating system:

• Windows Server 2008 R2*/2012*/2012 R2*/2016*
• Windows 7/8/8.1/10

Note that building NVDA is only supported on Windows 10+.

[seanbudd]

After some googling it turns out that availability of these functions depends on the version of Windows in use rather than version of PowerShell.

Can you provide a reference for this?

[seanbudd]

it is sometimes necessary to test something with a self signed build on older versions of Windows which are still supported by NVDA, where this way of importing would fail.

Perhaps I can reintroduce the steps for importing certificates via the Windows UI as an alternative. This is a fail safe method across OSs.

[lukaszgo1]

According to this TechNet question (see the second answer) these PowerShell functions are available on Windows 8 and above. Adding the gui method of importing the certificate would indeed make sure that there is a consistent method to use regardless of the version of Windows on which the certificate has to be imported.

[seanbudd]

I've added a passing reference for Windows 7. The NVDA docs do not need to cover how to use certificate manager (or similar) in detail. The intended destination store location of the certificate is provided.

[seanbudd]

@feerrenrut - I've added a warning pre-amble.

It might be helpful to extend this with why you might want to do this. E.G. for testing NVDA in situations that require a signed, trusted install:

• Accessing processes running as administrator
• ...

Ideally this will link to another document that explains that need in more detail. This self signed cert doc is a "how-to guide", the other doc would be an "explainer".

I think this task is blocked by these documents.

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests. See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/qjqtexodm08ce0dx/artifacts/output/nvda_snapshot_pr13987-26122,d8502f00.exe

See test results for failed build of commit d8502f0089

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests. See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/wsjycpwfj8ap5jcx/artifacts/output/nvda_snapshot_pr13987-26127,52e6f54f.exe

See test results for failed build of commit 52e6f54f04

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests. See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/edphfq3fis4q9euc/artifacts/output/nvda_snapshot_pr13987-26129,52e6f54f.exe

See test results for failed build of commit 52e6f54f04

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests. See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/m0d9mfygwdfkpntj/artifacts/output/nvda_snapshot_pr13987-26135,0355db3b.exe

See test results for failed build of commit 0355db3b11

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests. See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/by37vsyye7nedbv2/artifacts/output/nvda_snapshot_pr13987-26138,0355db3b.exe

See test results for failed build of commit 0355db3b11