If your tap-windows6 driver has to support Windows Vista or very old Windows 7 versions it has to have two signatures:

  1. Primary signature created with a normal (non-EV) SHA1 code-signing certificate. The SHA1 signature needs to be the primary as Vista can apparently understand only one signature.
  2. Secondary signature created with an Extended Validation (EV) SHA2 code-signing certificate. An EV certificate is required on early versions of Windows 10 for kernel drivers. Later versions require an attestation signature.

There are also further requirements due to the two signatures:

  • Build computer should have a SHA1 code-signing certificate in the certificate store under Currentuser\My or as a PFX file. The primary signature will be created by tap-windows6 build system.
  • Code-signing computer should have Windows Kit 10 installed: this kit includes a version of Signtool.exe which supports appending signatures to files. The SHA2 EV code-signing certificate needs to be visible in the certificate store under Currentuser\My.

The actual build/signing procedure in this case is rather convoluted.

On build computer

Copy your kernel-mode SHA1 code-signing certificate and the intermediate cross-signing certificate to the tap-windows6 directory.

Run to build and to sign with SHA1

$ python -b --sign <certificate-options>

NOTE: using the "-c" switch will wipe out any pre-built tapinstall.exe's in the tapinstall directory, so be careful with it.

Copy the following files to the code-signing computer:

  • tap6.tar.gz
  • 32-bit tapinstall.exe (renamed to tapinstall32.exe)
  • 64-bit tapinstall.exe (renamed to tapinstall64.exe)

On code-signing computer

Clone the Sign-Tap6 repository. Ensure your SHA2 EV code-signing certificate is visible in the Windows certificate store, and copy the matching cross-certificate to the sign-tap6 directory. All commands except the actual signing should be done from Git Bash or similar.

Copy tap6.tar.gz to the sign-tap6 directory and extract it:

$ tar -zxf tap6.tar.gz

Copy tapinstall.exe's to the tap6 directory:

$ cp tapinstall32.exe tap6/i386/tapinstall.exe
$ cp tapinstall64.exe tap6/amd64/tapinstall.exe

Next append secondary signatures with Sign-Tap6.ps1 in an administrator Powershell session. For example:

$ Sign-Tap6.ps1 -SourceDir tap6 -Append

Now wrap the dual-signed files into a tarball (e.g. using Git Bash):

$ tar -zcf tap6-dual-signed.tar.gz tap6

Copy the dual-signed tarball back to the build computer.

On build computer

Extract contents of tap6-dual-signed.tar.gz to the tap-windows6 directory:

$ rm -rf dist tap6
$ tar -zxf tap6-dual-signed.tar.gz
$ mv tap6 dist

Next you will need to run using the same parameters as before, except that you must not clean (-c) or build (-b). You should only package (-p) the dist directory into an installer. If you have a user-mode SHA2 certificate available on the build computer, then it is easiest to sign with that, e.g.

$ python -p --sign --certfile=<my-sha2-certificate> --certpw=<password> --crosscert=<my-cross-cert> --timestamp= --ti=tapinstall

Alternatively copy the installer produced by to the code-signing computer for the additional signature, as described below.

On code-signing computer

Append a signature to the tap-windows-<versio>-<buildnum>.exe using Sign-Tap6.ps1. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at Sign-Tap6.ps1.

If this process sounds complicated, that's because it is. At some point would make sense to adapt to add both signatures automatically, which would simplify the process dramatically. However, that would require porting to Windows Kit 10, which would require a non-trivial amount of work.

Last modified 3 years ago Last modified on 04/05/19 07:33:28