= Introduction = This page shows the test procedures for tap-windows6 authenticode signatures, with a particular focus the signatures done with the new EV SHA2 codesigning certificate. Note that the driver will not work on Windows XP or Windows Server 2003, because the operating systems do not support the NDIS6 interface required by tap-windows6. = Drivers = == tap6-ev-signed == This driver package has one Authenticode signature done with an Digicert EV SHA2 certificate, and ''!DigiCert High Assurance EV Root CA'' (from [https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx here]) was used as the cross-certificate. These following two files files contain a tap-windows6 driver (tap6-ev-signed) that has been signed using an EV SHA2 code-signing certificate: * [http://build.openvpn.net/downloads/temp/tap6-ev-signed.zip tap6-ev-signed.zip] * [http://build.openvpn.net/downloads/temp/tap6-ev-signed.tar.gz tap6-ev-signed.tar.gz] Note that the ''tap0901.sys'' file is ''not'' signed in this driver package - only ''tap0901.cat'' is. == tap6-dual-sha1-sha2ev == This driver contains two signatures: * Primary: non-EV SHA1 signature + Digicert SHA1 timestamp + !DigiCert Assured ID Root CA (cross-certificate) * Secondary: EV SHA2 signature + Digicert SHA2 timestamp + !DigiCert High Assurance EV Root CA (cross-certificate) Note that the ''tap0901.sys'' file ''is'' signed in this driver package. In practice that does not seem to have any benefits. Download links here: * [http://build.openvpn.net/downloads/temp/tap6-dual-sha1-sha2ev.zip tap6-dual-sha1-sha2ev.zip] * [http://build.openvpn.net/downloads/temp/tap6-dual-sha1-sha2ev.tar.gz tap6-dual-sha1-sha2ev.tar.gz] = Testing the drivers = The process for testing the driver is as follows: * Extract the driver package * Remove previously installed driver (if present) * Install the new driver * If installation fails, install all Windows updates (if possible) and retry * Report your finds to samuli at openvpn dot net and optionally update the test matrix at the bottom of the table More fine-grained instructions below. == Prepaparations == All recent versions of Windows have zip support built in. The tar.gz file can be extracted with Git Bash, for example. Once you've extracted the package, launch command prompth (cmd.exe) or a Powershell session with administrator privileges. Then go to the driver directory: {{{ cd tap6-ev-signed\amd64 }}} If you're using a 32-bit OS replace "amd64" with "i386". Next check if a conflicting tap-windows drivers is installed: {{{ .\tapinstall.exe hwids tap0901 ROOT\NET\0000 Name: Tap-Windows Adapter V9 Hardware IDs: tap0901 1 matching device(s) found. }}} In this case there was. == Removing an existing driver == If tap-windows6 driver was installed, you need to remove it: {{{ .\tapinstall.exe remove tap0901 ROOT\NET\0000: : Removed 1 devices(s) were removed. }}} You can verify the removal using ''".\tapinstall.exe hwids tap0901"'' as shown above. == Installing the new driver == Once the old driver (if any) is gone, you can install the new tap-windows6 driver: {{{ .\tapinstall.exe install OemVista.inf tap0901 }}} The above commands attempt to install the driver, and if Windows has any problems verifying the driver's publisher, it will complain about "Unknown publisher". In that case there is something wrong with the catalog file's (tap0901.cat) signature which needs to be fixed. == Reporting results == Both positive (e.g. "Loads fine on Windows 7 32-bit") and negative ("Fails on Windows 10 64-bit") reports are much appreciated. The test results are published in the test result table below. = Known issues = The behavior of ''File properties'' dialog seems to be inconsistent between different Windows versions. For example, in Windows 7, when looking at the ''tap0901.cat'' file, in some places Windows says "not digitally signed" or similar, whereas in other places the signature is detected correctly. In Windows Server 2012r2 the exact same catalog file shows all green in all places of the GUI. In both cases the driver installs, loads and works perfectly. On top of that ''signtool verify...'' and ''Get-!AuthenticodeSignature'' both say the signature and the certification path are valid. So the behavior of ''File properties'' dialog seems buggy and inconsistent across Windows versions. = Test results = == tap-ev-signed == ||'''Operating system'''||'''Bitness'''||'''Installs?'''||'''Works?'''||'''All updates installed?'''||'''Errors'''||'''Tester'''|| ||Windows Vista||32||Yes||Yes||No||Publisher not detected at install||selva|| ||Windows Vista||64||-||-||-||-||-|| ||Windows 7 (pro)||64||Yes||Yes||Yes||-||mattock|| ||Windows Server 2008||64||Yes||No||No||See note 1, below||selva|| ||Windows 10||64||Yes||Yes||No||-||selva|| ||Windows 10||?||No||?||?||?||raidz|| ||Windows Server 2012r2||64||Yes||Yes||Yes||-||mattock|| '''Notes:''' 1. Cannot enable the tap adapter. Error message: "The TAP-Windows Adapter V9 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source." == tap6-dual-sha1-sha2ev == ||'''Operating system'''||'''Bitness'''||'''Installs?'''||'''Works?'''||'''All updates installed?'''||'''Errors'''||'''Tester'''|| ||Windows Vista||32||Yes||Yes||No||See note 2 below||selva|| ||Windows Vista||64||Yes||Yes||Yes||no||raidz|| ||Windows 7 (pro)||64||Yes||Yes||Yes||no||mattock|| ||Windows 10||64||Yes||Yes||?||See note 1 below||mattock|| ||Windows 10||64||Yes||Yes||No||No||selva|| 1. When other tap-windows6 drivers (such as those from OpenVPN Connect) were installed, installation went fine, but Windows was unable to activate the driver. Removing the other tap-windows6 drivers made the driver install ''and'' work just fine. 1. From Selva's email: ''"The behaviour on vista 32 (still not updated) is somewhat strange -- both the -sha2 and -sha1-sha2 now installs without any warning after the first forced installation --- i.e., install ignoring a stern warning, remove, and then install again and the second time onwards there are no warnings. I did not select the "trust this publisher" button or anything, but it behaves as if."''