Injecting the publisher certificate into the Trusted Publisher store prior to running tapinstall.exe

[mattock]

According to Trac#798 silent installations of tap-windows6 driver fail if our publisher certificate is not in the Trusted Publishers store before installing the driver. This happens because Windows pops up / would pop up a messagebox that asks about trusting the publisher. To solve this the publisher certificate has to be injected into the certificate store.

What need is

• A way to define which publisher certificate to inject (e.g. command-line option to buildtap.py)
• Embed the defined certificate to the installer at the packaging phase (-p)
• Run certificate injection code in the installer before running tapinstall.exe

[chipitsine]

it might be considered as security issue.

we investigate malware activity (not related to openvpn), there are so called sandbox techniques in malware investigation, if some program performs such a certificate manipulation, it triggers on sandboxes like "cuckoo" and often is considered as malware (by google safebrowsing, etc)

[chipitsine]

it might be better alternative to pass "logo" certification and get driver signed by microsoft trusted cert.

[chipitsine]

one more thing to mention here. Windows allows so called "enterprise certificate store", which is Active Directory integrated store (no certificate is stored locally): https://blogs.msdn.microsoft.com/muaddib/2013/10/18/understanding-and-managing-the-certificate-stores-used-for-smart-card-logon/

in such environment you cannot add certificate if you are not Domain Admin (and the entire procedure is different from local store).

we need to check if "trusted publisher" store is local before injecting cert to it.

[mattock]

@chipitsine : good points. I asked the OpenVPN Connect guys if they've had such issues with their certificate-injecting installers.

[mattock]

The Access Server/OpenVPN Connect guys said that they have not experience any significant issues with certificate injection. I will take a look at how it is implemented if I get access to the source code...

[chipitsine]

it is not difficult to integrate is into NSIS, I'll make PR soon

[hkocam]

OP here from https://community.openvpn.net/openvpn/ticket/798 : i made a mistake by not comparing the different thumbprints(cert, driver), somehow i used the wrong cert for injecting, after exporting the cert from driver(tap-windows-9.21.2), everythings works as expsected.

for silent installs it would be very handy to have an option to install the cert in the installer, one less thing toi get wrong. +1 from me

[chipitsine]

stay tuned :-) I'm going to finish it within a week or less.