= Introduction = The build instructions for tap-windows6 [https://github.com/OpenVPN/tap-windows6/blob/master/README.rst are available] in it's Git repo. This page contains additional information that is more generic and not really suitable for inclusion in the main documentation. = Codesigning = Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. This section contains miscellaneous notes about signing driver packages. == Installing certificates == Installing a PFX file to the Currentuser certificate store using Powershell: {{{ Import-PfxCertificate –FilePath cert:\CurrentUser\My -Password (ConvertTo-SecureString -String -Force –AsPlainText) }}} If you're not accustomed to Powershell you can just use ''mmc.exe'' and the certificate snap-ins to install the certificate. == Querying the certificate store == To list all certificates in ''Currentuser\My'' store using Powershell: {{{ Get-ChildItem cert:\CurrentUser\My }}} Or alternatively: {{{ Set-Location cert:\CurrentUser\My dir }}} The ''dir'' command is just an alias for ''Get-!ChildItem'' == Creating catalog files with inf2cat == To create a catalog file for a 32-bit driver: {{{ Inf2Cat.exe /driver: /os:Vista_x86,Server2008_X86,7_X86 }}} To create a catalog file for a 64-bit driver: {{{ Inf2Cat.exe /driver: /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 }}} Example: {{{ Inf2Cat.exe /driver:C:\Users\John\tap6\amd64 /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 }}} '''NOTE:''' According to Microsoft Inf2Cat requires a full path to the driver directory. == Signing files with signtool.exe == Sign a file using a (non-EV) certificate stored in a pfx file. Note that this process is not suitable for EV certificates, which are probably all stored in some sort of dongle and thus only visible through the Windows Certificate Store: {{{ signtool.exe sign /v /ac /t /f /p }}} Sign a driver with the "best" certificate found from the certificate store. This should work if there is only code-signing certificate in the store: {{{ signtool.exe sign /v /ac /t /a }}} Sign a driver using a certificate under ''Currentuser\My'', selecting the right certificate based on a substring of the certificate's subjectname: {{{ signtool.exe sign /v /ac /t /s My /n }}} Examples: {{{ signtool.exe sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /f kernel-mode.pfx /p tap6/amd64/tap0901.cat signtool.exe sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /s My -n tap6/amd64/tap0901.cat }}} == Validating signatures == Verifying the Authenticode signature of a file using Powershell: {{{ Get-AuthenticodeSignature }}} Note that even if the above command says that the file's certificate is valid, there is absolutely no guarantee that various Windows versions will accept it. It is unclear whether the Cmdlet checks the entire certificate path or not: it does hang for long periods of time occasionally doing ''something''. Using signtool.exe to verify a driver's signature probably gives more reliable results than the Get-!AuthenticodeSignature Cmdlet: {{{ signtool.exe verify /v /kp /c .cat .sys }}} == External links == '''General information''' * [http://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ Questions and Answers: Windows 10 Driver Signing] * [http://www.davidegrayson.com/signing/ Practical Windows Code and Driver Signing] * [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode Digital Signatures] * [https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx Cross-Certificates for Kernel Mode Code Signing] '''Practical guides''' * [https://technet.microsoft.com/en-us/library/dd919238%28v=ws.10%29.aspx Steps for Signing a Device Driver Package] * [https://github.com/pbatard/libwdi/wiki/Signed-Driver-Walkthrough Signed Driver Walkthrough] '''References''' * [https://msdn.microsoft.com/en-us/library/windows/hardware/ff553618%28v=vs.85%29.aspx Inf2Cat] * [https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx Signtool] * [https://technet.microsoft.com/en-us/library/hh849805.aspx Get-AuthenticodeSignature] * [https://technet.microsoft.com/en-us/library/hh848625.aspx Import-PfxCertificate]