wiki:TapWindows6CodesignTests

Introduction

This page shows the test procedures for tap-windows6 authenticode signatures, with a particular focus the signatures done with the new EV SHA2 codesigning certificate.

Note that the driver will not work on Windows XP or Windows Server 2003, because the operating systems do not support the NDIS6 interface required by tap-windows6.

Drivers

tap6-ev-signed

This driver package has one Authenticode signature done with an Digicert EV SHA2 certificate, and DigiCert High Assurance EV Root CA (from here) was used as the cross-certificate. These following two files files contain a tap-windows6 driver (tap6-ev-signed) that has been signed using an EV SHA2 code-signing certificate:

Note that the tap0901.sys file is not signed in this driver package - only tap0901.cat is.

tap6-dual-sha1-sha2ev

This driver contains two signatures:

  • Primary: non-EV SHA1 signature + Digicert SHA1 timestamp + DigiCert Assured ID Root CA (cross-certificate)
  • Secondary: EV SHA2 signature + Digicert SHA2 timestamp + DigiCert High Assurance EV Root CA (cross-certificate)

Note that the tap0901.sys file is signed in this driver package. In practice that does not seem to have any benefits.

Download links here:

Testing the drivers

The process for testing the driver is as follows:

  • Extract the driver package
  • Remove previously installed driver (if present)
  • Install the new driver
  • If installation fails, install all Windows updates (if possible) and retry
  • Report your finds to samuli at openvpn dot net and optionally update the test matrix at the bottom of the table

More fine-grained instructions below.

Prepaparations

All recent versions of Windows have zip support built in. The tar.gz file can be extracted with Git Bash, for example. Once you've extracted the package, launch command prompth (cmd.exe) or a Powershell session with administrator privileges. Then go to the driver directory:

cd tap6-ev-signed\amd64

If you're using a 32-bit OS replace "amd64" with "i386".

Next check if a conflicting tap-windows drivers is installed:

.\tapinstall.exe hwids tap0901
ROOT\NET\0000
    Name: Tap-Windows Adapter V9
    Hardware IDs:
        tap0901
1 matching device(s) found.

In this case there was.

Removing an existing driver

If tap-windows6 driver was installed, you need to remove it:

.\tapinstall.exe remove tap0901
ROOT\NET\0000:          : Removed
1 devices(s) were removed.

You can verify the removal using ".\tapinstall.exe hwids tap0901" as shown above.

Installing the new driver

Once the old driver (if any) is gone, you can install the new tap-windows6 driver:

.\tapinstall.exe install OemVista.inf tap0901

The above commands attempt to install the driver, and if Windows has any problems verifying the driver's publisher, it will complain about "Unknown publisher". In that case there is something wrong with the catalog file's (tap0901.cat) signature which needs to be fixed.

Reporting results

Both positive (e.g. "Loads fine on Windows 7 32-bit") and negative ("Fails on Windows 10 64-bit") reports are much appreciated. The test results are published in the test result table below.

Known issues

The behavior of File properties dialog seems to be inconsistent between different Windows versions. For example, in Windows 7, when looking at the tap0901.cat file, in some places Windows says "not digitally signed" or similar, whereas in other places the signature is detected correctly. In Windows Server 2012r2 the exact same catalog file shows all green in all places of the GUI. In both cases the driver installs, loads and works perfectly. On top of that signtool verify... and Get-AuthenticodeSignature both say the signature and the certification path are valid. So the behavior of File properties dialog seems buggy and inconsistent across Windows versions.

Test results

tap-ev-signed

Operating systemBitnessInstalls?Works?All updates installed?ErrorsTester
Windows Vista32YesYesNoPublisher not detected at installselva
Windows Vista64-----
Windows 7 (pro)64YesYesYes-mattock
Windows Server 200864YesNoNoSee note 1, belowselva
Windows 1064YesYesNo-selva
Windows 10?No???raidz
Windows Server 2012r264YesYesYes-mattock

Notes:

  1. Cannot enable the tap adapter. Error message: "The TAP-Windows Adapter V9 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

tap6-dual-sha1-sha2ev

Operating systemBitnessInstalls?Works?All updates installed?ErrorsTester
Windows Vista32YesYesNoSee note 2 belowselva
Windows Vista64YesYesYesnoraidz
Windows 7 (pro)64YesYesYesnomattock
Windows 1064YesYes?See note 1 belowmattock
Windows 1064YesYesNoNoselva
  1. When other tap-windows6 drivers (such as those from OpenVPN Connect) were installed, installation went fine, but Windows was unable to activate the driver. Removing the other tap-windows6 drivers made the driver install and work just fine.
  2. From Selva's email: "The behaviour on vista 32 (still not updated) is somewhat strange -- both the -sha2 and -sha1-sha2 now installs without any warning after the first forced installation --- i.e., install ignoring a stern warning, remove, and then install again and the second time onwards there are no warnings. I did not select the "trust this publisher" button or anything, but it behaves as if."
Last modified 3 years ago Last modified on 04/21/16 06:41:06