| Version 11 (modified by , 6 years ago) (diff) |
|---|
Introduction
In the Lviv hackathon the we agreed on the following things:
- OpenVPN 2.5 Windows installer should be MSI-based
- We won't provide NSIS installers for 2.5 unless there are major issues in the MSI
- The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature
- People who want to install just tap-windows6 can disable the OpenVPN features
- We should not try to embed MSI installers into MSI installers due to lack of good documentation
- Each installation architecture/target will get its own MSI installer
- We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch
- The individual MSI files should also be made available for more technical users as well as system administrators
- The custom action DLL used in the tap-windows6 MSI installation logic could be included in openvpn.git, so that openvpn-build could easily build and sign it, just as is done with openvpn.exe and openvpnserv.exe. Having it in tap-windows6 repository would make signing that DLL slightly more problematic, as we don't really sign anything with the tap-windows6 buildsystem anymore.
- The MSI (WiX) code can be placed into a subdirectory in openvpn-build Git repository alongside "generic", "msvc" and "windows-nsis". The MSI should consume the artefacts that the openvpn-build cross-compile process produces.
- The documentation and instructions on how to deploy, transform, or parameterize MSI packages should be published on Wiki and/or in the openvpn-build readme.
- MSI packages creation and usage should be documented properly
Installer targets
There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6:
| Operating system | KM signature | i386 | x64 | arm64 |
| Windows 7/8 | Cross-signed | X | X | |
| Windows 10 | Attestation-signed[1] | X | X | X |
| Windows Server 2012r2 | Cross-signed | X | ||
| Windows Server 2016 | WHQL-certified | X | ||
| Windows Server 2019 | WHQL-certified | X |
So we have the following architecture-signature combinations for tap-windows6:
- i386/x64 cross-signed
- i386/x64/arm64 attestation signed
- x64 WHQL certified
The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms.
Notes
[1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those
