tap-windows6 icon indicating copy to clipboard operation
tap-windows6 copied to clipboard
verified publisher icon OpenVPN

installer: Add code signing certificate before installing the driver

Open rozmansi opened this issue 6 years ago • 8 comments

This avoids prompts on Windows 7 (with KB2921916 applied), 8, 8.1, Server 2008R2, 2012R2. Note there is no prompt on Windows 10 and Server 2016 and 2019 already as the driver for Win10 is Microsoft signed.

rozmansi avatar Nov 10 '19 10:11 rozmansi

I'll test this on the Windows 10 ARM64 laptop when I get back home. As discussed in the hackathon I'll create a new combined tap-windows6 installer based on the latest signed tap-windows6 drivers to get the benefits immediately.

mattock avatar Nov 10 '19 13:11 mattock

Hi rozmansi, mattock

Could you confirm with any of win7 machine if such cert is installed or the reg entry is created once user opt for Always Trust .... publisher checkbox. In my case, i do not see any impact of the reg entry created/cert installation for trusted publisher (tried in both stores) prompt.

Thanks

agrawalamit2005 avatar Nov 12 '19 10:11 agrawalamit2005

@agrawalamit2005 are you saying that even if you have clicked "Trust this publisher" you get the same prompt when you install/upgrade tap-windows6 again?

mattock avatar Nov 12 '19 15:11 mattock

@mattock I have not tried on tap-windows6 yet. Please read my comment more as a question on approach used to avoid Trust prompt. With other driver, i notices similar prompt but i do not see any entry created in registry at Trusted publisher place. Have you seen this entry?

agrawalamit2005 avatar Nov 13 '19 05:11 agrawalamit2005

This avoids prompts on Windows 7 (with KB2921916 applied)

Windows 7 really really really needs the KB2921916 for their driver install prompt to work correctly with SHA-256 driver signatures.

Windows 7 without KB2921916 will keep prompting - regardless of what certificate we import and regardless how many times you tick that "Don't prompt again for this publisher" checkbox.

Could you confirm with any of win7 machine if such cert is installed or the reg entry is created once user opt for Always Trust .... publisher checkbox. In my case, i do not see any impact of the reg entry created/cert installation for trusted publisher (tried in both stores) prompt.

Yes, I can confirm this works without a prompt on Windows 7 with KB2921916. I tested it personally. I have tested it again once and for all - this time recording:

  1. Installing on a Win7 without KB2921916: https://1drv.ms/u/s!AsRKV9itoeUTiz4NspnipAuziWuE?e=xcNHAm
  2. Reverting to the snapshot before TAP-Windows6 was installed.
  3. Installing KB2921916: https://1drv.ms/u/s!AsRKV9itoeUTiz-ESCzDlYsXvd_S?e=C5jsGW
  4. Rebooting
  5. Installing TAP-Windows6 again: https://1drv.ms/u/s!AsRKV9itoeUTi0Aa9cJ-wfKKMs6G?e=u8dZRE

rozmansi avatar Nov 13 '19 11:11 rozmansi

Thanks for prompt response. It really boost up confidence. I have no more comment to hold this PR. Another query I have is, how you are downloading KB2921916. Microsoft has stopped distributing it. Any side loading installer of KB available to try at my end.

THANKS Amit

On Wed, Nov 13, 2019, 4:39 PM Simon Rozman [email protected] wrote:

This avoids prompts on Windows 7 (with KB2921916 applied)

Windows 7 really really really needs the KB2921916 for their driver install prompt to work correctly with SHA-256 driver signatures.

Windows 7 without KB2921916 will keep prompting - regardless of what certificate we import and regardless how many times you tick that "Don't prompt again for this publisher" checkbox.

Could you confirm with any of win7 machine if such cert is installed or the reg entry is created once user opt for Always Trust .... publisher checkbox. In my case, i do not see any impact of the reg entry created/cert installation for trusted publisher (tried in both stores) prompt.

Yes, I can confirm this works without a prompt on Windows 7 with KB2921916. I tested it personally. I have tested it again once and for all

  • this time recording:

    1. Installing on a Win7 without KB2921916: https://1drv.ms/u/s!AsRKV9itoeUTiz4NspnipAuziWuE?e=xcNHAm
    2. Reverting to the snapshot before TAP-Windows6 was installed.
    3. Installing KB2921916: https://1drv.ms/u/s!AsRKV9itoeUTiz-ESCzDlYsXvd_S?e=C5jsGW
    4. Rebooting
    5. Installing TAP-Windows6 again: https://1drv.ms/u/s!AsRKV9itoeUTi0Aa9cJ-wfKKMs6G?e=u8dZRE

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/tap-windows6/pull/100?email_source=notifications&email_token=AHBRHNZRGUZC7IVOKJASBX3QTPN7XA5CNFSM4JLL3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED5YVFI#issuecomment-553355925, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHBRHN63UDXK64QXWNXNTLDQTPN7XANCNFSM4JLL3UMA .

agrawalamit2005 avatar Nov 13 '19 14:11 agrawalamit2005

I have downloaded the KB2921916 for testing purposes here:

  • x86: http://thehotfixshare.net/board/index.php?autocom=downloads&showfile=18883
  • x64: http://thehotfixshare.net/board/index.php?autocom=downloads&showfile=18882

I am not sure if OpenVPN community is legally entitled to host the download. At least not without double-checking the license that was included with the original download at Microsoft Download Server (no longer available).

Without a license, I don't believe we are legally entitled to include it in our TAP-Windows6 installer and deploy it.

rozmansi avatar Nov 14 '19 05:11 rozmansi

One thing, I probably should mention explicitly... This PR includes #99, since it reuses its logic to detect if Windows version is <10.

rozmansi avatar Nov 14 '19 05:11 rozmansi