= Introduction = In the [wiki:LvivHackathon2018 Lviv hackathon] the we agreed on the following things: * OpenVPN 2.5 Windows installer should be MSI-based * We won't provide NSIS installers for 2.5 unless there are major issues in the MSI * The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature * People who want to install just tap-windows6 can disable the OpenVPN features * We should not try to embed MSI installers into MSI installers due to lack of good documentation * Each installation architecture/target will get its own MSI installer * We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch * The individual MSI files should also be made available for more technical users as well as system administrators * The custom action DLL used in the tap-windows6 MSI installation logic could be included in openvpn.git, so that openvpn-build could easily build and sign it, just as is done with openvpn.exe and openvpnserv.exe. Having it in tap-windows6 repository would make signing that DLL slightly more problematic, as we don't really sign anything with the tap-windows6 buildsystem anymore. * The MSI (WiX) code can be placed into a subdirectory in openvpn-build Git repository alongside "generic", "msvc" and "windows-nsis". The MSI should consume the artefacts that the openvpn-build cross-compile process produces. * The documentation and instructions on how to deploy, transform, or parameterize MSI packages should be published on Wiki and/or in the openvpn-build readme. * The documentation and instructions for developers on components, their functions and relationship should be published on Wiki and/or in the openvpn-build readme. = Installer targets = There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6: ||'''Operating system'''||'''KM signature''' ||'''i386'''||'''x64'''||'''arm64'''|| ||Windows 7/8 ||Cross-signed || X || X || || ||Windows 10 ||Attestation-signed![1]|| X || X || X || ||Windows Server 2012r2 ||Cross-signed || || X || || ||Windows Server 2016 ||WHQL-certified || || X || || ||Windows Server 2019 ||WHQL-certified || || X || || So we have the following architecture-signature combinations for tap-windows6: 1. i386/x64 cross-signed 1. i386/x64/arm64 attestation signed 1. x64 WHQL certified The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms. = Notes = ![1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those