incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Liu Da Li <wawal...@gmail.com>
Subject Re: Windows 8 Compatibility?
Date Mon, 11 Jun 2012 06:48:46 GMT
There are so many items in the Windows 8 certification list, I try to go
through it and find that there is maybe about 43 TODO items for us to do
the certification. Most of the TODO items  are just a verification jobs,
but some code change jobs maybe are need to do for the sections 4.1,5.1,
9.1, 10.2,11.7.
I have try to verify some items, the result be marked at green.
Herbert1 also go through the list, I put his result at the end of each
section.

Items which maybe need to change some codes
------------------------------------------------
4.1 Your app must handle critical shutdowns appropriately
In a critical shutdown, apps that return FALSE to WM_QUERYENDSESSION will
be sent WM_ENDSESSION and closed, while those that time out in response to
WM_QUERYENDSESSION will be terminated. .
5.1 Your app must properly implement a clean, reversible installation
If the installation fails, the app should be able to roll it back and
restore the machine to its previous state.
9.1 Your app must have a manifest that defines execution levels and tells
the operating system what privileges the app requires in order to run
The app manifest marking only applies to EXEs, not DLLs. This is because
UAC does not inspect DLLs during process creation. It is also worth noting
that UAC rules do not apply to Windows Services. The manifest can be either
embedded or external.
To create a manifest, create a file with the name <app_name>.exe.manifest
and store it in the same directory as the EXE. Note that any external
manifest is ignored if the app has an internal manifest. For example:
 <requestedExecutionLevel level=""asInvoker | highestAvailable |
requireAdministrator"" uiAccess=""true|false""/>
10.2 Your app must avoid starting automatically on startup
For example, your app should not set any of the following;
Registry run keys HKLM and, or HKCU under
Software\Microsoft\Windows\CurrentVersion
Registry run keys HKLM, and or HKCU under
Software\Wow6432Node\Microsoft\windows\CurrentVersion
Start Menu AllPrograms > STARTUP
11.7 Your app must check other terminal service (TS) sessions for existing
instances of the app
Note: If an app does not support multiple user sessions or remote access,
it must clearly state this when launched from this kind of session.
------------------------------------------------------------------------------------------
Full TODO items.

1. Apps are compatible and resilient
1.1 Your app must not take a dependency on Windows compatibility modes,
AppHelp message, and or any other compatibility fixes
TODO 1.1 : Need verification , don't depend.
1.2 Your app must not take a dependency on the VB6 runtime
TODO 1.2 : Need verification , don't depend.
1.3 Your app must not load arbitrary DLLs to intercept Win32 API calls
using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_dlls.
TODO 1.3 : Need verification , don't load.
Herbert1: Win8 Cert Section 1 : ok

2. Apps must adhere to Windows Security Best Practices
2.1 Your app must use strong and appropriate ACLs to secure executable files
TODO 2.1 : Need verification
2.2 Your app must use strong and appropriate ACLs to secure directories
TODO 2.2 : Need verification
2.3 Your app must use strong and appropriate ACLs to secure registry keys
TODO 2.3 : Need verification
2.4 Your app must use strong and appropriate ACLs to secure directories
that contain objects
TODO 2.4 : Need verification
2.5 Your app must reduce non-administrator access to services that are
vulnerable to tampering
TODO 2.5 : Need verification
2.6 Your app must prevent services with fast restarts from restarting more
than twice every 24 hours
TODO 2.6 : Need verification
Herbert1: Win8 Cert Section 2 : if the MSI based installer does it it is
fine,we are using nsis-2.46 for building the MSI package but Windows itself
does the installation of the MSI packages

3. Apps support Windows security features
3.1 Your app must not use AllowPartiallyTrustedCallersAttribute (APTCA) to
ensure secure access to strong-named assemblies
TODO 3.1 : Need verification,
3.2 Your app must be compiled using the /SafeSEH flag to ensure safe
exceptions handling
TODO 3.2 : Need verification, we use it
3.3 Your app must be compiled using the /NXCOMPAT flag to prevent data
execution
TODO 3.3 : Need verification, we use it
3.4 Your app must be compiled using the /DYNAMICBASE flag for address space
layout randomization (ASLR)
TODO 3.4 : Need verification, we use it
3.5 Your app must not Read/Write Shared PE Sections
TODO 3.5 : Need verification,
Herbert1: Win8 Cert Section 3 : we are running with SafeSEH, NXCOMPAT,
DYNAMICBASE, but the libraries we ship have to be modified to use these
flags too,I'm almost certain that we don't use APTCA,I'm not so sure about
the RW PW Sections, but I guess we do not have any.

4. Apps must adhere to system restart manager messages
4.1 Your app must handle critical shutdowns appropriately
TODO 4.1 : Need verification,
4.2 A GUI app must return TRUE immediately in preparation for a restart
TODO 4.2 : Need verification, we do
4.3 Your app must return 0 within 30 seconds and shut down
TODO 4.3 : Need verification,we do
Herbert1: Win8 Cert Section 4 : WM_QUERYENDSESSION needs to be
implemented,these new messages are currently ignored

5. Apps must support a clean, reversible installation
5.1 Your app must properly implement a clean, reversible installation
TODO 5.1 : Need verification,
5.2 Your app must never force the user to restart the computer immediately
TODO 5.2 : Need verification,we never
5.3 Your app must never be dependent on 8.3 short file names (SFN)
TODO 5.3 : Need verification,we never
5.4 Your app must never block silent install/uninstall
TODO 5.4 : Need verification,
5.5 Your app installer must create the correct registry entries to allow
successful detection and uninstalls
TODO 5.5 : Need verification,
Herbert1: Win8 Cert Section 5: making sure that the registry entries and
files are restored is difficult

6. Apps must digitally sign files and drivers
6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, .scr) must be
signed with an Authenticode certificate
TODO 6.1:Need to do digitally sign
Herbert1: Win8 Cert Section 6: Having authentication credentials would be
good even if don't pursue Win8 shop certification

7. Apps don’t block installation or app launch based on an operating system
version check
7.1 Your app must not perform version checks for equality
TODO 7.1 : Need verification,
Herbert1: Win8 Cert Section 7: We are doing win-version checks, but I'm
almost certain that it is not a check for equality. Needs to be checked
though.

8. Apps don’t load services or drivers in safe mode
TODO 8 : Need verification, we don't

9. Apps must follow User Account Control guidelines
9.1 Your app must have a manifest that defines execution levels and tells
the operating system what privileges the app requires in order to run
TODO 9.1 : Need verification,
9.2 Your app’s main process must be run as a standard user (asInvoker).
TODO 9.2 : Need verification,

10. Apps must install to the correct folders by default
10.1 Your app must be installed in the Program Files folder by default
TODO 10.1: Need verification,we do
10.2 Your app must avoid starting automatically on startup
TODO 10.2: Need verification, the quick start is a issue
10.3 Your app data, which must be shared among users on the computer,
should be stored within ProgramData
TODO 10.3: Need verification,we do
10.4 Your app’s data that is exclusive to a specific user and that is not
to be shared with other users of the computer, must be stored in
Users\<username>\AppData
TODO 10.4: Need verification,we do
10.5 Your app must never write directly to the "Windows" directory and or
subdirectories
TODO 10.5: Need verification,we never
10.6 Your app must write user data at first run and not during the
installation in “per-machine” installations
TODO 10.6: Need verification,we do

11. Apps must support multi-user sessions
11.1 Your app must ensure that when running in multiple sessions either
locally or remotely, the normal functionality of the app is not adversely
affected
TODO 11.1: Need verification,
11.2 Your app’s settings and data files must not persist across users
TODO 11.2: Need verification,
11.3 A user’s privacy and preferences must be isolated to the user’s
session
TODO 11.3: Need verification,
11.4 Your app’s instances must be isolated from each other
TODO 11.4: Need verification,
11.5 Apps that are installed for multiple users must store data in the
correct folder(s) and registry locations
Refer to the UAC requirements.
TODO 11.5: Need verification,
11.6 User apps must be able to run in multiple user sessions (Fast User
Switching) for both local and remote access
TODO 11.6: Need verification,
11.7 Your app must check other terminal service (TS) sessions for existing
instances of the app
TODO 11.7: Need verification,
Herbert1: Win8 Cert Section 11.7: we need to rearchitect our IPC to TS
session management

12. Apps must support x64 versions of Windows
12.1 Your app must natively support 64-bit or, at a minimum, 32-bit
Windows-based apps must run seamlessly on 64-bit systems to maintain
compatibility with 64-bit versions of Windows
TODO 12.1: Need verification, AOO can be run on 64-bit system
12.2 Your app and its installers must not contain any 16-bit code or rely
on any 16-bit component
TODO 12.2: Need verification,  AOO not contain 16-bit code
12.3 Your app’s setup must detect and install the proper drivers and
components for the 64-bit architecture
TODO 12.3: Need verification,



2012/6/7 Rob Weir <robweir@apache.org>

> I installed the Windows 8 Tech Preview (32-bit) today on a virtual
> server.  After a few minutes to figure out the new platform UI I
> installed AOO 3.4.  Install went without problems and it appears to
> run fine.
>
> Of course, there is more that we could do to be a well-integrated
> Windows desktop application.  The best practices are outlined here:
> http://msdn.microsoft.com/library/windows/desktop/hh749939
>
> A lot of this is goodness that would help users on Windows 7 and
> earlier versions as well.  For example, the code signing reduces the
> risk of tampering or corrupt files.  It also reduces false complaints
> by some anti-virus products.  The recommended compiler options help
> reduce the explotability of security vulnerabilities, especially of
> the kind products run into reading binary file formats.  More info on
> these options are here:
>
>
> http://blogs.msdn.com/b/vcblog/archive/2009/05/21/dynamicbase-and-nxcompat.aspx
>
> Did OpenOffice.org ever try for logo certification from Microsoft
> before?  If so, what was the experience?
>
> I think it might be worth trying for this with AOO,  It would takes
> some work, but in the end we would have better platform integration,
> and a better user and admin experience.
>
> -Rob
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message