Version 7 (modified by 6 years ago) (diff) | ,
---|
Introduction
In the Lviv hackathon the we agreed on the following things:
- OpenVPN 2.5 Windows installer should be MSI-based
- We won't provide NSIS installers for 2.5 unless there are major issues in the MSI
- The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature
- People who want to install just tap-windows6 can disable the OpenVPN features
- We should not try to embed MSI installers into MSI installers due to lack of good documentation
- Each installation architecture/target will get its own MSI installer
- We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch
- The individual MSI files should also be made available for more technical users as well as system administrators
- The custom action DLL used in the tap-windows6 MSI installation logic could be included in openvpn.git, so that openvpn-build could easily build and sign it, just as is done with openvpn.exe and openvpnserv.exe. Having it in tap-windows6 repository would make signing that DLL slightly more problematic, as we don't really sign anything with the tap-windows6 buildsystem anymore.
- The MSI (WiX) code can be placed into a subdirectory in openvpn-build Git repository alongside "generic", "msvc" and "windows-nsis". The MSI should consume the artefacts that openvpn-build cross-compile process produces.
Installer targets
There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6:
Operating system | KM signature | i386 | x64 | arm64 |
Windows 7/8 | Cross-signed | X | X | |
Windows 10 | Attestation-signed[1] | X | X | X |
Windows Server 2012r2 | Cross-signed | X | ||
Windows Server 2016 | WHQL-certified | X | ||
Windows Server 2019 | WHQL-certified | X |
So we have the following architecture-signature combinations:
- i386/x64 cross-signed
- i386/x64/arm64 attestation signed
- x64 WHQL certified
The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms.
Notes
[1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those