Version 6 (modified by 8 years ago) (diff) | ,
---|
Introduction
This page shows the test procedures for tap-windows6 authenticode signatures, with a particular focus the signatures done with the new EV SHA2 codesigning certificate.
Note that the driver will not work on Windows XP or Windows Server 2003, because the operating systems do not support the NDIS6 interface required by tap-windows6.
Drivers
tap6-ev-signed
This driver package has one Authenticode signature done with an Digicert EV SHA2 certificate, and DigiCert High Assurance EV Root CA (from here) was used as the cross-certificate. These following two files files contain a tap-windows6 driver (tap6-ev-signed) that has been signed using an EV SHA2 code-signing certificate:
Note that the tap0901.sys file is not signed in this driver package - only tap0901.cat is.
tap6-dual-sha1-sha2ev
This driver contains two signatures:
- Primary: non-EV SHA1 signature + Digicert SHA1 timestamp + DigiCert Assured ID Root CA (cross-certificate)
- Secondary: EV SHA2 signature + Digicert SHA2 timestamp + DigiCert High Assurance EV Root CA (cross-certificate)
Note that the tap0901.sys file is signed in this driver package. In practice that does not seem to have any benefits.
Download links here:
Testing the drivers
The process for testing the driver is as follows:
- Extract the driver package
- Remove previously installed driver (if present)
- Install the new driver
- If installation fails, install all Windows updates (if possible) and retry
- Report your finds to samuli at openvpn dot net and optionally update the test matrix at the bottom of the table
More fine-grained instructions below.
Prepaparations
All recent versions of Windows have zip support built in. The tar.gz file can be extracted with Git Bash, for example. Once you've extracted the package, launch command prompth (cmd.exe) or a Powershell session with administrator privileges. Then go to the driver directory:
cd tap6-ev-signed\amd64
If you're using a 32-bit OS replace "amd64" with "i386".
Next check if a conflicting tap-windows drivers is installed:
.\tapinstall.exe hwids tap0901 ROOT\NET\0000 Name: Tap-Windows Adapter V9 Hardware IDs: tap0901 1 matching device(s) found.
In this case there was.
Removing an existing driver
If tap-windows6 driver was installed, you need to remove it:
.\tapinstall.exe remove tap0901 ROOT\NET\0000: : Removed 1 devices(s) were removed.
You can verify the removal using ".\tapinstall.exe hwids tap0901" as shown above.
Installing the new driver
Once the old driver (if any) is gone, you can install the new tap-windows6 driver:
.\tapinstall.exe install OemVista.inf tap0901
The above commands attempt to install the driver, and if Windows has any problems verifying the driver's publisher, it will complain about "Unknown publisher". In that case there is something wrong with the catalog file's (tap0901.cat) signature which needs to be fixed.
Reporting results
Both positive (e.g. "Loads fine on Windows 7 32-bit") and negative ("Fails on Windows 10 64-bit") reports are much appreciated. The test results are published in the test result table below.
Test results
tap-ev-signed
Operating system | Bitness | Installs? | Works? | All updates installed? | Errors | Tester |
Windows Vista | 32 | Yes | Yes | No | Publisher not detected at install | selva |
Windows Vista | 64 | - | - | - | - | - |
Windows 7 (pro) | 64 | Yes | Yes | Yes | - | mattock |
Windows Server 2008 | 64 | Yes | No | No | See note 1, below | selva |
Windows 10 | 64 | Yes | Yes | No | - | selva |
Windows 10 | ? | No | ? | ? | ? | raidz |
Windows Server 2012r2 | 64 | Yes | Yes | Yes | - | mattock |
Notes:
- Cannot enable the tap adapter. Error message: "The TAP-Windows Adapter V9 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."
tap6-dual-sha1-sha2ev
Operating system | Bitness | Installs? | Works? | All updates installed? | Errors | Tester |
Windows 7 (pro) | 64 | Yes | Yes | Yes | - | mattock |