Version 2 (modified by Samuli Seppänen, 6 years ago) (diff)

Add some notes regarding codesigning


The build instructions for tap-windows6 are available in it's Git repo. This page contains additional information that is more generic and not really suitable for inclusion in the main documentation.


Getting the Authenticode signatures right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. This section contains miscellaneous notes about signing driver packages.

Working with certificates and signatures in Powershell

To install a PFX files to the CurrentUser? certificate store:

Import-PfxCertificate –FilePath <path-to-pfx> cert:\CurrentUser\My -Password (ConvertTo-SecureString -String "mypassword" -Force –AsPlainText)

To verify the Authenticode signature of a file:

Get-AuthenticodeSignature <path-to-file>

Note that even if the above command says that the file's certificate is valid, there is absolutely no guarantee that various Windows versions will accept it. It is unclear whether the Cmdlet checks the entire certificate path or not: it does hang for long periods of time occasionally doing something.

Using Signtool.exe

Verifying the signature of a driver package using Signtool.exe:

signtool verify /v /kp /c tap901.sys

This command should produce more useful results than the Get-AuthenticodeSignature? Cmdlet.