Hi,
On Mon, Mar 14, 2016 at 02:18:08PM +0200, Samuli Seppänen wrote:
Lack of the update might become more problematic after I rebuild the
tap-windows6 driver and sign it with our new key, in which case Windows
7 might reject the driver altogether. So that part requires more
thorough pre-release testing.
The old key is still valid, just not "good enough" for win8+, right?
In that case we might consider building two tap driver packages, one
signed with the vista/win7 key, one with the win8+ key.
Or maybe I'm totally misunderstanding this, so ignore me :)
gert
In case I did not respond to this earlier (my email client claims that)...
Old tap-windows6 signatures will be as valid as they were before. We
might run into trouble whe we sign tap-windows6 with the EV dongle,
which probably generates SHA-2 signatures. The same goes for our new
generic code-signing certificate, which was recently rekeyed to SHA-2.
My view of what will happen once we fully move to SHA-2 for signing the
executables, libraries and drivers:
- Windows XP will show "Unknown publisher" for everything
- Some Windows 7 installations _might_ have issues:
- Might not recognize the SHA-2 signatures ("Unknown publisher")
- Might fail to install the SHA-2 tap-windows6 driver
- Windows 8.1+ should work just fine
That said, the Windows 7 issue has not been verified. So far nobody has
complained about the new SHA-2 based Windows installers I published. The
tap-windows6 driver contained in the installers was still signed with
the non-EV SHA-1 key, so at worst we'd see the "Unknown publisher" problem.
I can probably sign Windows XP (I00x) installers with the old SHA-1 key
until it expires in September. After that I will need to sign everything
with SHA-2. I think that at that point we should consider dropping
official Windows XP support, namely:
- Stop publishing tap-windows-based (I00x) OpenVPN installers
- Stop caring about "Unknown publisher" warnings on Windows XP
We could still allow use of I60x installers on Windows XP, and let
people downgrade to tap-windows manually.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
