There are so many items in the Windows 8 certification list, I try to go through it and find that there is maybe about 43 TODO items for us to do the certification. Most of the TODO items are just a verification jobs, but some code change jobs maybe are need to do for the sections 4.1,5.1, 9.1, 10.2,11.7. I have try to verify some items, the result be marked at green. Herbert1 also go through the list, I put his result at the end of each section.
Items which maybe need to change some codes ------------------------------------------------ 4.1 Your app must handle critical shutdowns appropriately In a critical shutdown, apps that return FALSE to WM_QUERYENDSESSION will be sent WM_ENDSESSION and closed, while those that time out in response to WM_QUERYENDSESSION will be terminated. . 5.1 Your app must properly implement a clean, reversible installation If the installation fails, the app should be able to roll it back and restore the machine to its previous state. 9.1 Your app must have a manifest that defines execution levels and tells the operating system what privileges the app requires in order to run The app manifest marking only applies to EXEs, not DLLs. This is because UAC does not inspect DLLs during process creation. It is also worth noting that UAC rules do not apply to Windows Services. The manifest can be either embedded or external. To create a manifest, create a file with the name <app_name>.exe.manifest and store it in the same directory as the EXE. Note that any external manifest is ignored if the app has an internal manifest. For example: <requestedExecutionLevel level=""asInvoker | highestAvailable | requireAdministrator"" uiAccess=""true|false""/> 10.2 Your app must avoid starting automatically on startup For example, your app should not set any of the following; Registry run keys HKLM and, or HKCU under Software\Microsoft\Windows\CurrentVersion Registry run keys HKLM, and or HKCU under Software\Wow6432Node\Microsoft\windows\CurrentVersion Start Menu AllPrograms > STARTUP 11.7 Your app must check other terminal service (TS) sessions for existing instances of the app Note: If an app does not support multiple user sessions or remote access, it must clearly state this when launched from this kind of session. ------------------------------------------------------------------------------------------ Full TODO items. 1. Apps are compatible and resilient 1.1 Your app must not take a dependency on Windows compatibility modes, AppHelp message, and or any other compatibility fixes TODO 1.1 : Need verification , don't depend. 1.2 Your app must not take a dependency on the VB6 runtime TODO 1.2 : Need verification , don't depend. 1.3 Your app must not load arbitrary DLLs to intercept Win32 API calls using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows AppInit_dlls. TODO 1.3 : Need verification , don't load. Herbert1: Win8 Cert Section 1 : ok 2. Apps must adhere to Windows Security Best Practices 2.1 Your app must use strong and appropriate ACLs to secure executable files TODO 2.1 : Need verification 2.2 Your app must use strong and appropriate ACLs to secure directories TODO 2.2 : Need verification 2.3 Your app must use strong and appropriate ACLs to secure registry keys TODO 2.3 : Need verification 2.4 Your app must use strong and appropriate ACLs to secure directories that contain objects TODO 2.4 : Need verification 2.5 Your app must reduce non-administrator access to services that are vulnerable to tampering TODO 2.5 : Need verification 2.6 Your app must prevent services with fast restarts from restarting more than twice every 24 hours TODO 2.6 : Need verification Herbert1: Win8 Cert Section 2 : if the MSI based installer does it it is fine,we are using nsis-2.46 for building the MSI package but Windows itself does the installation of the MSI packages 3. Apps support Windows security features 3.1 Your app must not use AllowPartiallyTrustedCallersAttribute (APTCA) to ensure secure access to strong-named assemblies TODO 3.1 : Need verification, 3.2 Your app must be compiled using the /SafeSEH flag to ensure safe exceptions handling TODO 3.2 : Need verification, we use it 3.3 Your app must be compiled using the /NXCOMPAT flag to prevent data execution TODO 3.3 : Need verification, we use it 3.4 Your app must be compiled using the /DYNAMICBASE flag for address space layout randomization (ASLR) TODO 3.4 : Need verification, we use it 3.5 Your app must not Read/Write Shared PE Sections TODO 3.5 : Need verification, Herbert1: Win8 Cert Section 3 : we are running with SafeSEH, NXCOMPAT, DYNAMICBASE, but the libraries we ship have to be modified to use these flags too,I'm almost certain that we don't use APTCA,I'm not so sure about the RW PW Sections, but I guess we do not have any. 4. Apps must adhere to system restart manager messages 4.1 Your app must handle critical shutdowns appropriately TODO 4.1 : Need verification, 4.2 A GUI app must return TRUE immediately in preparation for a restart TODO 4.2 : Need verification, we do 4.3 Your app must return 0 within 30 seconds and shut down TODO 4.3 : Need verification,we do Herbert1: Win8 Cert Section 4 : WM_QUERYENDSESSION needs to be implemented,these new messages are currently ignored 5. Apps must support a clean, reversible installation 5.1 Your app must properly implement a clean, reversible installation TODO 5.1 : Need verification, 5.2 Your app must never force the user to restart the computer immediately TODO 5.2 : Need verification,we never 5.3 Your app must never be dependent on 8.3 short file names (SFN) TODO 5.3 : Need verification,we never 5.4 Your app must never block silent install/uninstall TODO 5.4 : Need verification, 5.5 Your app installer must create the correct registry entries to allow successful detection and uninstalls TODO 5.5 : Need verification, Herbert1: Win8 Cert Section 5: making sure that the registry entries and files are restored is difficult 6. Apps must digitally sign files and drivers 6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, .scr) must be signed with an Authenticode certificate TODO 6.1:Need to do digitally sign Herbert1: Win8 Cert Section 6: Having authentication credentials would be good even if don't pursue Win8 shop certification 7. Apps don’t block installation or app launch based on an operating system version check 7.1 Your app must not perform version checks for equality TODO 7.1 : Need verification, Herbert1: Win8 Cert Section 7: We are doing win-version checks, but I'm almost certain that it is not a check for equality. Needs to be checked though. 8. Apps don’t load services or drivers in safe mode TODO 8 : Need verification, we don't 9. Apps must follow User Account Control guidelines 9.1 Your app must have a manifest that defines execution levels and tells the operating system what privileges the app requires in order to run TODO 9.1 : Need verification, 9.2 Your app’s main process must be run as a standard user (asInvoker). TODO 9.2 : Need verification, 10. Apps must install to the correct folders by default 10.1 Your app must be installed in the Program Files folder by default TODO 10.1: Need verification,we do 10.2 Your app must avoid starting automatically on startup TODO 10.2: Need verification, the quick start is a issue 10.3 Your app data, which must be shared among users on the computer, should be stored within ProgramData TODO 10.3: Need verification,we do 10.4 Your app’s data that is exclusive to a specific user and that is not to be shared with other users of the computer, must be stored in Users\<username>\AppData TODO 10.4: Need verification,we do 10.5 Your app must never write directly to the "Windows" directory and or subdirectories TODO 10.5: Need verification,we never 10.6 Your app must write user data at first run and not during the installation in “per-machine” installations TODO 10.6: Need verification,we do 11. Apps must support multi-user sessions 11.1 Your app must ensure that when running in multiple sessions either locally or remotely, the normal functionality of the app is not adversely affected TODO 11.1: Need verification, 11.2 Your app’s settings and data files must not persist across users TODO 11.2: Need verification, 11.3 A user’s privacy and preferences must be isolated to the user’s session TODO 11.3: Need verification, 11.4 Your app’s instances must be isolated from each other TODO 11.4: Need verification, 11.5 Apps that are installed for multiple users must store data in the correct folder(s) and registry locations Refer to the UAC requirements. TODO 11.5: Need verification, 11.6 User apps must be able to run in multiple user sessions (Fast User Switching) for both local and remote access TODO 11.6: Need verification, 11.7 Your app must check other terminal service (TS) sessions for existing instances of the app TODO 11.7: Need verification, Herbert1: Win8 Cert Section 11.7: we need to rearchitect our IPC to TS session management 12. Apps must support x64 versions of Windows 12.1 Your app must natively support 64-bit or, at a minimum, 32-bit Windows-based apps must run seamlessly on 64-bit systems to maintain compatibility with 64-bit versions of Windows TODO 12.1: Need verification, AOO can be run on 64-bit system 12.2 Your app and its installers must not contain any 16-bit code or rely on any 16-bit component TODO 12.2: Need verification, AOO not contain 16-bit code 12.3 Your app’s setup must detect and install the proper drivers and components for the 64-bit architecture TODO 12.3: Need verification, 2012/6/7 Rob Weir <[email protected]> > I installed the Windows 8 Tech Preview (32-bit) today on a virtual > server. After a few minutes to figure out the new platform UI I > installed AOO 3.4. Install went without problems and it appears to > run fine. > > Of course, there is more that we could do to be a well-integrated > Windows desktop application. The best practices are outlined here: > http://msdn.microsoft.com/library/windows/desktop/hh749939 > > A lot of this is goodness that would help users on Windows 7 and > earlier versions as well. For example, the code signing reduces the > risk of tampering or corrupt files. It also reduces false complaints > by some anti-virus products. The recommended compiler options help > reduce the explotability of security vulnerabilities, especially of > the kind products run into reading binary file formats. More info on > these options are here: > > > http://blogs.msdn.com/b/vcblog/archive/2009/05/21/dynamicbase-and-nxcompat.aspx > > Did OpenOffice.org ever try for logo certification from Microsoft > before? If so, what was the experience? > > I think it might be worth trying for this with AOO, It would takes > some work, but in the end we would have better platform integration, > and a better user and admin experience. > > -Rob >
