NYM-915: Used signed Split Tunnel Driver. (#5053)

* NYM-915: Continue Microsoft signing of ST Driver.

- Adjust structure of the `.cab` file so the driver files are not in the
  root of the archive.

* Fix Sign CAB input path.

* More work on `.cab` internal structure.

* Yes more `.cab` file structure shinanigans.

* Use the signed driver files.

Author: trojanfoe

.github/workflows/build-nym-vpn-core-windows.yml

@@ -19,7 +19,7 @@ env:
   CARGO_TERM_COLOR: always
   LIBS_PATH: build/lib/x86_64-pc-windows-msvc
   WINFW_PATH: build/winfw/x64-Release
-  STDRIVER_PATH: build/st-driver/x64-Release
+  STDRIVER_PATH: nym-vpn-windows/split-tunnel-driver/signed
   WINTUN_DIST_DIR: wintun-dist
   UPLOAD_DIR_WINDOWS: windows_artifacts
 
@@ -30,13 +30,9 @@ jobs:
   build-winfw-windows:
     uses: ./.github/workflows/build-winfw-windows.yml
 
-  build-st-driver-windows:
-    uses: ./.github/workflows/build-st-driver-windows.yml
-
   build-windows:
     if: github.actor != 'dependabot[bot]'
-    needs:
-      [build-wireguard-go-windows, build-winfw-windows, build-st-driver-windows]
+    needs: [build-wireguard-go-windows, build-winfw-windows]
     runs-on: custom-windows-11
     outputs:
       UPLOAD_DIR_WINDOWS: ${{ env.UPLOAD_DIR_WINDOWS }}
@@ -94,12 +90,6 @@ jobs:
           name: winfw
           path: ${{ env.WINFW_PATH }}
 
-      - name: Download st-driver artifacts
-        uses: actions/download-artifact@v8
-        with:
-          name: st-driver
-          path: ${{ env.STDRIVER_PATH }}
-
       - name: Download wintun
         shell: vsdevenv x64 pwsh {0}
         working-directory: nym-vpn-core

.github/workflows/sign-st-driver-windows.yml

@@ -54,11 +54,12 @@ jobs:
           $lines = @(
             '.OPTION EXPLICIT',
             '.Set CabinetNameTemplate=nymvpn-split-tunnel.cab',
-            '.Set DiskDirectoryTemplate=.',
+            '.Set DiskDirectory1=.',
             '.Set CompressionType=MSZIP',
-            '"st-driver\nymvpn-split-tunnel.sys"',
-            '"st-driver\nymvpn-split-tunnel.cat"',
-            '"st-driver\nymvpn-split-tunnel.inf"'
+            '.Set DestinationDir=driver',
+            '"st-driver\nymvpn-split-tunnel.sys" "nymvpn-split-tunnel.sys"',
+            '"st-driver\nymvpn-split-tunnel.cat" "nymvpn-split-tunnel.cat"',
+            '"st-driver\nymvpn-split-tunnel.inf" "nymvpn-split-tunnel.inf"'
           )
           $lines | Set-Content -Path nymvpn-split-tunnel.ddf
           makecab /F nymvpn-split-tunnel.ddf
@@ -89,7 +90,7 @@ jobs:
             -password="$SSL_COM_PASSWORD" \
             -totp_secret="$SSL_COM_TOTP_SECRET" \
             -credential_id="$SSL_COM_CREDENTIAL_ID" \
-            -input_file_path=nymvpn-split-tunnel.cab \
+            -input_file_path="nymvpn-split-tunnel.cab" \
             -output_dir_path=signed
 
       - name: Move things around to prepare for upload

nym-vpn-app/src-tauri/scripts/sign.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 #
-# This custom code signing script is used to sign more than just the Tauri app (NymVPN.exe),
-# but when it is used to sign that, it will also sign the daemon and the split-tunnel driver
-# artifacts, ready for bundling.
-#
 # This assumes the cwd is src-tauri/.
 #
 
@@ -38,15 +34,6 @@ function sign {
 	fi
 }
 
-exe=$1
-
-# If we are signing the Tauri app, then also sign the daemon and split-tunnel driver.
-if [[ "$exe" == *NymVPN.exe ]]; then
-	for additonal in "nym-vpnd.exe" "nymvpn-split-tunnel.sys" "nymvpn-split-tunnel.cat"; do
-		sign "$additonal"
-	done
-fi
-
-sign "$exe"
+sign "$1"
 
 exit 0

nym-vpn-windows/split-tunnel-driver/signed/nymvpn-split-tunnel.cat

@@ -0,0 +1,67 @@
+;
+; nymvpn-split-tunnel.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=WFPCALLOUTS
+ClassGuid={57465043-616C-6C6F-7574-5F636C617373}
+Provider=%ManufacturerName%
+CatalogFile=nymvpn-split-tunnel.cat
+PnpLockdown=1
+DriverVer = 04/07/2026,14.22.37.860
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+; ================= Class section =====================
+
+[ClassInstall32]
+AddReg=SplitTunnelClassReg
+
+[SplitTunnelClassReg]
+HKR,,,0,%ClassName%
+HKR,,Icon,,-5
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+nymvpn-split-tunnel.sys  = 1,,
+
+;*****************************************
+; Install Section
+;*****************************************
+
+[Manufacturer]
+%ManufacturerName%=Standard,NTamd64.10.0
+
+[Standard.NTamd64.10.0]
+%nymvpn-split-tunnel.DeviceDesc%=nymvpn-split-tunnel_Device, Root\nymvpn-split-tunnel
+
+[nymvpn-split-tunnel_Device.NT]
+CopyFiles=Drivers_Dir
+
+[Drivers_Dir]
+nymvpn-split-tunnel.sys
+
+;-------------- Service installation
+[nymvpn-split-tunnel_Device.NT.Services]
+AddService = nymvpn-split-tunnel,%SPSVCINST_ASSOCSERVICE%, nymvpn-split-tunnel_Service_Inst
+
+; -------------- nymvpn-split-tunnel driver install sections
+[nymvpn-split-tunnel_Service_Inst]
+DisplayName    = %nymvpn-split-tunnel.SVCDESC%
+ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
+StartType      = 3               ; SERVICE_DEMAND_START
+ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
+ServiceBinary  = %12%\nymvpn-split-tunnel.sys
+
+[Strings]
+SPSVCINST_ASSOCSERVICE= 0x00000002
+ManufacturerName="Nym Technologies SA"
+ClassName="Nym VPN Split Tunnel"
+DiskName = "Nym VPN Split Tunnel Installation Disk"
+nymvpn-split-tunnel.DeviceDesc = "Nym VPN Split Tunnel Device"
+nymvpn-split-tunnel.SVCDESC = "Nym VPN Split Tunnel Service"
+