= Introduction = In the [wiki:LvivHackathon2018 Lviv hackathon] the we agreed on the following things: * OpenVPN 2.5 Windows installer should be MSI-based * The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature * People who want to install just tap-windows6 can disable the OpenVPN features * We should not try ti embed MSI installers into MSI installers due to lack of good documentation * Each installation architecture/target will get its own MSI installer * We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch * The individual MSI files should also be made available for more technical users as well as system administrators = Installer targets = There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6: ||'''Operating system'''||'''KM signature''' ||'''i386'''||'''x64'''||'''arm64'''|| ||Windows 7/8 ||Cross-signed || X || X || || ||Windows 10 ||Attestation-signed![1]|| X || X || X || ||Windows Server 2012r2 ||Cross-signed || || X || || ||Windows Server 2016 ||WHQL-certified || || X || || ||Windows Server 2019 ||WHQL-certified || || X || || So we have the following architecture-signature combinations: 1. i386/x64 cross-signed 1. i386/x64/arm64 attestation signed 1. x64 WHQL certified The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms. = Notes = ![1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those