wiki:TapWindows6CodesignTests

Version 5 (modified by Samuli Seppänen, 8 years ago) (diff)

--

Introduction

This page shows the test procedures for tap-windows6 authenticode signatures, with a particular focus the signatures done with the new EV SHA2 codesigning certificate.

Note that the driver will not work on Windows XP or Windows Server 2003, because the operating systems do not support the NDIS6 interface required by tap-windows6.

Download links

tap6-ev-signed

These following two files files contain a tap-windows6 driver (tap6-ev-signed) that has been signed using an EV SHA2 code-signing certificate:

Note that the tap0901.sys file is not signed in this driver package - only tap0901.cat is.

Testing the drivers

The process for testing the driver is as follows:

  • Extract the driver package
  • Remove previously installed driver (if present)
  • Install the new driver
  • If installation fails, install all Windows updates (if possible) and retry
  • Report your finds to samuli at openvpn dot net and optionally update the test matrix at the bottom of the table

More fine-grained instructions below.

Prepaparations

All recent versions of Windows have zip support built in. The tar.gz file can be extracted with Git Bash, for example. Once you've extracted the package, launch command prompth (cmd.exe) or a Powershell session with administrator privileges. Then go to the driver directory:

cd tap6-ev-signed\amd64

If you're using a 32-bit OS replace "amd64" with "i386".

Next check if a conflicting tap-windows drivers is installed:

.\tapinstall.exe hwids tap0901
ROOT\NET\0000
    Name: Tap-Windows Adapter V9
    Hardware IDs:
        tap0901
1 matching device(s) found.

In this case there was.

Removing an existing driver

If tap-windows6 driver was installed, you need to remove it:

.\tapinstall.exe remove tap0901
ROOT\NET\0000:          : Removed
1 devices(s) were removed.

You can verify the removal using ".\tapinstall.exe hwids tap0901" as shown above.

Installing the new driver

Once the old driver (if any) is gone, you can install the new tap-windows6 driver:

.\tapinstall.exe install OemVista.inf tap0901

The above commands attempt to install the driver, and if Windows has any problems verifying the driver's publisher, it will complain about "Unknown publisher". In that case there is something wrong with the catalog file's (tap0901.cat) signature which needs to be fixed.

Reporting results

Both positive (e.g. "Loads fine on Windows 7 32-bit") and negative ("Fails on Windows 10 64-bit") reports are much appreciated. The test results are published in the test result table below.

Test results

tap-ev-signed

This driver package has one Authenticode signature done with an Digicert EV SHA2 certificate, and DigiCert High Assurance EV Root CA (from here) was used as the cross-certificate.

Operating systemBitnessInstalls?Works?All updates installed?ErrorsTester
Windows Vista32YesYesNoPublisher not detected at installselva
Windows Vista64-----
Windows 7 (pro)64YesYesYes-mattock
Windows Server 200864YesNoNoSee note 1, belowselva
Windows 1064YesYesNo-selva
Windows 10?No???raidz
Windows Server 2012r264YesYesYes-mattock

Notes:

  1. Cannot enable the tap adapter. Error message: "The TAP-Windows Adapter V9 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."