Il 20/04/19 18:09, Gert Doering ha scritto: > Hi, > > On Sat, Apr 20, 2019 at 12:16:49PM +0300, Samuli Seppänen wrote: >> Here are completely untested OpenVPN 2.4.7 installers which I wanted to >> get out for testing a.s.a.p.: >> >> <https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I604-Win7.exe> >> <https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I604-Win10.exe> >> >> As the name implies, there is a different version for Windows 7 (plus >> 8/8.1/Server 2012r2) and for Windows 10 (all versions). This is >> necessary due to code signatures in the tap-windows6 driver. > > Shouldn't it be possible to have a normal signed driver also attestation > signed, so "one driver for win7+win10"? > > Or have we just never tested this? > > gert >
Hi, This is a good question. Attestation signing at Microsoft end has some interesting properties: - It removes any existing signatures from tap0901.cat and tap0901.sys - It does _not_ remove existing signatures from tapinstall.exe We could potentially attestation-sign tap-windows6 first, then cross-sign it. The result _might_ work on everything except Windows Server 2016/2019. I intend to do final installer / tap-windows6 testing tomorrow (Windows 7 and 10 work already). I can give double signatures a go in tap-windows6 as well. Due to historic reasons the Powershell scripts I use already support appending signatures. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
