installer: Add code signing certificate before installing the driver #100
Conversation
Rather than shipping separate installers for Windows 10 and pre Windows 10, pack all Windows driver and extend selection logic to install correct one. Signed-off-by: Simon Rozman <[email protected]>
This avoids prompts on Windows 7 (with KB2921916 applied), 8, 8.1, Server 2008R2, 2012R2. Note there is no prompt on Windows 10 and Server 2016 and 2019 already as the driver for Win10 is Microsoft signed. Signed-off-by: Simon Rozman <[email protected]>
|
I'll test this on the Windows 10 ARM64 laptop when I get back home. As discussed in the hackathon I'll create a new combined tap-windows6 installer based on the latest signed tap-windows6 drivers to get the benefits immediately. |
|
Hi rozmansi, mattock Could you confirm with any of win7 machine if such cert is installed or the reg entry is created once user opt for Always Trust .... publisher checkbox. In my case, i do not see any impact of the reg entry created/cert installation for trusted publisher (tried in both stores) prompt. Thanks |
|
@agrawalamit2005 are you saying that even if you have clicked "Trust this publisher" you get the same prompt when you install/upgrade tap-windows6 again? |
|
@mattock I have not tried on tap-windows6 yet. Please read my comment more as a question on approach used to avoid Trust prompt. With other driver, i notices similar prompt but i do not see any entry created in registry at Trusted publisher place. Have you seen this entry? |
Windows 7 really really really needs the KB2921916 for their driver install prompt to work correctly with SHA-256 driver signatures. Windows 7 without KB2921916 will keep prompting - regardless of what certificate we import and regardless how many times you tick that "Don't prompt again for this publisher" checkbox.
Yes, I can confirm this works without a prompt on Windows 7 with KB2921916. I tested it personally. I have tested it again once and for all - this time recording:
|
|
Thanks for prompt response. It really boost up confidence.
I have no more comment to hold this PR. Another query I have is, how you
are downloading KB2921916. Microsoft has stopped distributing it. Any side
loading installer of KB available to try at my end.
THANKS
Amit
…On Wed, Nov 13, 2019, 4:39 PM Simon Rozman ***@***.***> wrote:
This avoids prompts on Windows 7 *(with KB2921916 applied)*
Windows 7 *really really really* needs the KB2921916 for their driver
install prompt to work correctly with SHA-256 driver signatures.
Windows 7 without KB2921916 will keep prompting - regardless of what
certificate we import and regardless how many times you tick that "Don't
prompt again for this publisher" checkbox.
Could you confirm with any of win7 machine if such cert is installed or
the reg entry is created once user opt for Always Trust .... publisher
checkbox. In my case, i do not see any impact of the reg entry created/cert
installation for trusted publisher (tried in both stores) prompt.
Yes, I can confirm this works without a prompt on Windows 7 with
KB2921916. I tested it personally. I have tested it again once and for all
- this time recording:
1. Installing on a Win7 without KB2921916:
https://1drv.ms/u/s!AsRKV9itoeUTiz4NspnipAuziWuE?e=xcNHAm
2. Reverting to the snapshot before TAP-Windows6 was installed.
3. Installing KB2921916:
https://1drv.ms/u/s!AsRKV9itoeUTiz-ESCzDlYsXvd_S?e=C5jsGW
4. Rebooting
5. Installing TAP-Windows6 again:
https://1drv.ms/u/s!AsRKV9itoeUTi0Aa9cJ-wfKKMs6G?e=u8dZRE
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#100?email_source=notifications&email_token=AHBRHNZRGUZC7IVOKJASBX3QTPN7XA5CNFSM4JLL3UMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED5YVFI#issuecomment-553355925>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHBRHN63UDXK64QXWNXNTLDQTPN7XANCNFSM4JLL3UMA>
.
|
|
I have downloaded the KB2921916 for testing purposes here:
I am not sure if OpenVPN community is legally entitled to host the download. At least not without double-checking the license that was included with the original download at Microsoft Download Server (no longer available). Without a license, I don't believe we are legally entitled to include it in our TAP-Windows6 installer and deploy it. |
|
One thing, I probably should mention explicitly... This PR includes #99, since it reuses its logic to detect if Windows version is <10. |
This avoids prompts on Windows 7 (with KB2921916 applied), 8, 8.1, Server 2008R2, 2012R2. Note there is no prompt on Windows 10 and Server 2016 and 2019 already as the driver for Win10 is Microsoft signed.