tap-windows6
tap-windows6 copied to clipboard
OpenVPN
Installer for 9.22.1 throws a signature error.
After installing 9.22.1 the adapter in device manager throws the following error.
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Microsoft Windows 10 Enterprise 2016 LTSB 10.0.14393 Build 14393
Microsoft Windows 10 Pro 10.0.16299 Build 16299
Hi,
On Wed, Apr 25, 2018 at 01:44:30PM +0000, crkinard wrote:
After installing 9.22.1 the adapter in device manager throws the following error.
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Which platform is this? Windows XP, Vista, ...? Fully patched?
gert
"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
Updated the initial post. Two machines.
The enterprise one is updated fully to WSUS settings so it MIGHT be missing something. The pro machine updates directly with Microsoft and has all updates (check for updates says there are none).
I have a third I can try it on at home but its the same install as the pro machine and fully updated. Reloaded both pro machines in the last day so little is on them at the moment.
Win10 should certainly work (and did, in our tests).
We expected failures on old Win7 installs (due to SHA2 signatures not being supported yet), and Vista (for the same reasons).
just an idea (will have a look myself later) ...
do we have a manifest on tap installer ?
2018-04-25 18:48 GMT+05:00 Gert Doering [email protected]:
Hi,
On Wed, Apr 25, 2018 at 01:44:30PM +0000, crkinard wrote:
After installing 9.22.1 the adapter in device manager throws the following error.
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Which platform is this? Windows XP, Vista, ...? Fully patched?
gert
"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/tap-windows6/issues/49#issuecomment-384293071, or mute the thread https://github.com/notifications/unsubscribe-auth/ACHVUNpTsYlEyRHrO2XMZjkJnlEQQQhcks5tsH6ogaJpZM4Tjc9c .
Please copy and paste the relevant part of C:\Windows\inf\setupapi.dev.log here. That will give more clues about the signature error.
@crkinard can you confirm that the problem is not present in tap-windows-9.21.2.exe? Also please post setupapi.dev.log for that one here so that we can have a look at the difference.
2.21.2 worked.
setupapi.dev.log
EDIT: Never mind what I had here last. I'm a gord. Didnt restart the service for OpenVPN that handles running admin level tasks after installing 2.21.2
I will have a look at the setupapi.dev.log files tomorrow morning if all goes well.
I can confirm the same signature problem for 9.22.1 for Win 10 Pro 1709 (Build 16299.402). Installing the driver 9.21.2 from @mattock did work fine.
I have this problem too.
OS Name: Windows 10 Enterprise 2016 LTSB OS Version: N/A Build 14393
Version 9.22.1 fails with CM_PROB_UNSIGNED_DRIVER error while version 9.21.2 works, although with some warnings.
9.22.1 install log:
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>> Section start 2018/04/26 11:34:42.566
cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
ndv: Install flags: 0x00000001
ndv: {Update Device Driver - ROOT\NET\0000}
ndv: Search options: 0x00000080
ndv: Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
dvi: {Build Driver List} 11:34:42.607
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Created Driver Node:
dvi: HardwareID - tap0901
dvi: InfName - c:\program files\tap-windows\driver\oemvista.inf
dvi: DevDesc - TAP-Windows Adapter V9
dvi: Section - tap0901.ndi
dvi: Rank - 0x00ff0000
dvi: Signer Score - Authenticode
dvi: DrvDate - 04/15/2018
dvi: Version - 9.0.0.22
dvi: {Build Driver List - exit(0x00000000)} 11:34:42.669
dvi: {DIF_SELECTBESTCOMPATDRV} 11:34:42.674
dvi: Default installer: Enter 11:34:42.681
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: Selected:
dvi: Description - [TAP-Windows Adapter V9]
dvi: InfFile - [c:\program files\tap-windows\driver\oemvista.inf]
dvi: Section - [tap0901.ndi]
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 11:34:42.726
ndv: Forcing driver install:
ndv: Inf Name - oemvista.inf
ndv: Driver Date - 04/15/2018
ndv: Driver Version - 9.0.0.22
sto: {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:34:42.751
sto: Driver package already imported as 'oem24.inf'.
sto: {Setup Import Driver Package - exit (0x00000000)} 11:34:42.762
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: {Plug and Play Service: Device Install for ROOT\NET\0000}
ndv: Driver INF Path: C:\Windows\INF\oem24.inf
ndv: Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.22:tap0901
ndv: Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
ndv: {Core Device Install} 11:34:42.803
ndv: {Install Device - ROOT\NET\0000} 11:34:42.805
ndv: Parent device: HTREE\ROOT\0
ndv: {Configure Device - ROOT\NET\0000} 11:34:42.811
ndv: Parent device: HTREE\ROOT\0
sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf}
sto: Source Filter = tap0901
inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Class Options = Configurable
inf: {Configure Driver: TAP-Windows Adapter V9}
inf: Section Name = tap0901.ndi
inf: {Add Service: tap0901}
inf: Start Type = 3
inf: Service Type = 1
inf: Error Control = 1
inf: Image Path = \SystemRoot\System32\drivers\tap0901.sys
inf: Display Name = TAP-Windows Adapter V9
inf: Group = NDIS
inf: Updated service 'tap0901'.
inf: {Add Service: exit(0x00000000)}
inf: Hardware Id = tap0901
inf: {Configure Driver Configuration: tap0901.ndi}
inf: Service Name = tap0901
inf: Config Flags = 0x00000000
inf: {Configure Driver Configuration: exit(0x00000000)}
inf: {Configure Driver: exit(0x00000000)}
flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
cpy: Existing file 'C:\Windows\System32\drivers\tap0901.sys' remains unchanged.
sto: {Configure Driver Package: exit(0x00000000)}
dvi: Install Device: Configuring device (oem24.inf:tap0901,tap0901.ndi). 11:34:42.857
dvi: Install Device: Configuring device completed. 11:34:42.861
dvi: Install Device: Starting device. 11:34:42.862
dvi: Install Device: Starting device completed. 11:34:42.869
!!! dvi: Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
ndv: {Configure Device - exit(0x00000000)} 11:34:42.872
! ndv: Queueing up error report since device has a PnP problem...
ndv: {Install Device - exit(0x00000000)} 11:34:42.997
ndv: {Core Device Install - exit(0x00000000)} 11:34:42.998
ump: {Plug and Play Service: Device Install exit(00000000)}
ndv: {Update Device Driver - exit(00000000)}
<<< Section end 2018/04/26 11:34:43.018
<<< [Exit status: SUCCESS]
9.21.2 install log:
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>> Section start 2018/04/26 11:47:02.423
cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
ndv: Install flags: 0x00000001
ndv: {Update Device Driver - ROOT\NET\0000}
ndv: Search options: 0x00000080
ndv: Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
dvi: {Build Driver List} 11:47:02.464
dvi: Searching for hardware ID(s):
dvi: tap0901
sig: {_VERIFY_FILE_SIGNATURE} 11:47:02.557
sig: Key = oemvista.inf
sig: FilePath = c:\program files\tap-windows\driver\oemvista.inf
sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:47:02.619
sig: {_VERIFY_FILE_SIGNATURE} 11:47:02.624
sig: Key = oemvista.inf
sig: FilePath = c:\program files\tap-windows\driver\oemvista.inf
sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 11:47:02.676
dvi: Created Driver Node:
dvi: HardwareID - tap0901
dvi: InfName - c:\program files\tap-windows\driver\oemvista.inf
dvi: DevDesc - TAP-Windows Adapter V9
dvi: Section - tap0901.ndi
dvi: Rank - 0x00ff0000
dvi: Signer Score - Authenticode
dvi: DrvDate - 04/21/2016
dvi: Version - 9.0.0.21
dvi: {Build Driver List - exit(0x00000000)} 11:47:02.725
dvi: {DIF_SELECTBESTCOMPATDRV} 11:47:02.731
dvi: Default installer: Enter 11:47:02.737
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: Selected:
dvi: Description - [TAP-Windows Adapter V9]
dvi: InfFile - [c:\program files\tap-windows\driver\oemvista.inf]
dvi: Section - [tap0901.ndi]
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 11:47:02.783
ndv: Forcing driver install:
ndv: Inf Name - oemvista.inf
ndv: Driver Date - 04/21/2016
ndv: Driver Version - 9.0.0.21
sto: {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:47:02.808
inf: Provider: TAP-Windows Provider V9
inf: Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Driver Version: 04/21/2016,9.00.00.21
inf: Catalog File: tap0901.cat
sto: {Copy Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:47:02.834
sto: Driver Package = c:\program files\tap-windows\driver\oemvista.inf
sto: Flags = 0x00000007
sto: Destination = C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}
sto: Copying driver package files to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}'.
flq: Copying 'c:\program files\tap-windows\driver\oemvista.inf' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf'.
flq: Copying 'c:\program files\tap-windows\driver\tap0901.cat' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.cat'.
flq: Copying 'c:\program files\tap-windows\driver\tap0901.sys' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.sys'.
sto: {Copy Driver Package: exit(0x00000000)} 11:47:02.887
pol: {Driver package policy check} 11:47:02.918
pol: {Driver package policy check - exit(0x00000000)} 11:47:02.919
sto: {Stage Driver Package: C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf} 11:47:02.920
inf: {Query Configurability: C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf} 11:47:02.924
inf: Driver package 'oemvista.inf' is configurable.
inf: {Query Configurability: exit(0x00000000)} 11:47:02.927
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf'.
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.cat' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat'.
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.sys' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.sys'.
sto: {DRIVERSTORE IMPORT VALIDATE} 11:47:02.955
sig: {_VERIFY_FILE_SIGNATURE} 11:47:02.980
sig: Key = oemvista.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat
! sig: Verifying file against specific (valid) catalog failed! (0x800b0109)
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:47:02.999
sig: {_VERIFY_FILE_SIGNATURE} 11:47:02.999
sig: Key = oemvista.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 11:47:03.026
! sig: Driver package signer is unknown, but user trusts signer.
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 11:47:06.237
sig: Signer Score = 0x0F000000
sig: Signer Name = OpenVPN Technologies, Inc.
sto: {DRIVERSTORE IMPORT BEGIN} 11:47:06.240
sto: {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 11:47:06.241
cpy: {Copy Directory: C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}} 11:47:06.242
cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28
cpy: {Copy Directory: exit(0x00000000)} 11:47:06.244
idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf} 11:47:06.246
idb: Created driver package object 'oemvista.inf_amd64_a572b7f20c402d28' in DRIVERS database node.
idb: Created driver INF file object 'oem24.inf' in DRIVERS database node.
idb: Registered driver package 'oemvista.inf_amd64_a572b7f20c402d28' with 'oem24.inf'.
idb: {Register Driver Package: exit(0x00000000)} 11:47:06.251
idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf} 11:47:06.252
idb: Activating driver package 'oemvista.inf_amd64_a572b7f20c402d28'.
cpy: Published 'oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf' to 'oem24.inf'.
idb: Indexed 3 device IDs for 'oemvista.inf_amd64_a572b7f20c402d28'.
sto: Flushed driver database node 'DRIVERS'. Time = 0 ms
sto: Flushed driver database node 'SYSTEM'. Time = 0 ms
idb: {Publish Driver Package: exit(0x00000000)} 11:47:06.269
sto: {DRIVERSTORE IMPORT END} 11:47:06.271
dvi: Flushed all driver package files to disk. Time = 0 ms
sig: Installed catalog 'tap0901.cat' as 'oem24.cat'.
sto: {DRIVERSTORE IMPORT END: exit(0x00000000)} 11:47:06.291
sto: {Stage Driver Package: exit(0x00000000)} 11:47:06.293
sto: {Setup Import Driver Package - exit (0x00000000)} 11:47:06.307
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: {Plug and Play Service: Device Install for ROOT\NET\0000}
ndv: Driver INF Path: C:\Windows\INF\oem24.inf
ndv: Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901
ndv: Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
ndv: {Core Device Install} 11:47:06.351
ndv: {Install Device - ROOT\NET\0000} 11:47:06.353
ndv: Parent device: HTREE\ROOT\0
ndv: {Configure Device - ROOT\NET\0000} 11:47:06.359
ndv: Parent device: HTREE\ROOT\0
sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf}
sto: Source Filter = tap0901
inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Class Options = Configurable
inf: {Configure Driver: TAP-Windows Adapter V9}
inf: Section Name = tap0901.ndi
inf: {Add Service: tap0901}
inf: Start Type = 3
inf: Service Type = 1
inf: Error Control = 1
inf: Image Path = \SystemRoot\System32\drivers\tap0901.sys
inf: Display Name = TAP-Windows Adapter V9
inf: Group = NDIS
inf: Updated service 'tap0901'.
inf: {Add Service: exit(0x00000000)}
inf: Hardware Id = tap0901
inf: {Configure Driver Configuration: tap0901.ndi}
inf: Service Name = tap0901
inf: Config Flags = 0x00000000
inf: {Configure Driver Configuration: exit(0x00000000)}
inf: {Configure Driver: exit(0x00000000)}
flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
dvi: Existing files modified, may need to restart related services.
sto: {Configure Driver Package: exit(0x00000bc3)}
ndv: Restart required for any devices using this driver.
dvi: Install Device: Configuring device (oem24.inf:tap0901,tap0901.ndi). 11:47:06.405
dvi: Install Device: Configuring device completed. 11:47:06.410
dvi: {Restarting Devices} 11:47:06.411
dvi: Restart: ROOT\NET\0000
dvi: {Restarting Devices exit} 11:47:06.456
ndv: {Configure Device - exit(0x00000000)} 11:47:06.457
ndv: {Install Device - exit(0x00000000)} 11:47:06.471
ndv: {Core Device Install - exit(0x00000000)} 11:47:06.472
ndv: Waiting for device post-install to complete. 11:47:06.474
ndv: Device post-install completed. 11:47:06.570
ump: {Plug and Play Service: Device Install exit(00000000)}
ndv: {Update Device Driver - exit(00000000)}
<<< Section end 2018/04/26 11:47:06.618
<<< [Exit status: SUCCESS]
The root of the problem is this:
Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
Can you check if the driver is present in the device drivers dialog in the Windows control panel? I think it should be there, but probably shows an exclamation mark. In other words, it has been installed successfully, but the kernel refuses to load it.
That is exactly how it is. Shows up in device manager with a driver but refuses to load it because of bad signing.
As a short-term workaround I built new Windows installer which include the old (9.21.2) tap-windows6 driver:
- https://build.openvpn.net/downloads/releases/openvpn-install-2.4.6-I602.exe
Out of curiosity I will try to follow the exact same signing process as for 9.21.2 (dual signatures) to see if that makes any difference. If not, then I will go the hardware dev portal route.
@crkinard @kappa7194
Can you try out this installer and see if it works?
- https://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe
It is not dual-signed (don't have the SHA1 key). But the driver file itself (tap0901.sys) now has a signature. Previously only the security catalog (tap0901.cat) had it.
same problem here on a fresh w10pro install. tested:
the new linked "tap-windows-9.22.1-I602.exe" still throws error 52 signature problem in device manager.
the above workaround installer including the old tap (9.21.2) works nicely.
I made the workaround installer official until I get the signature issue resolved. I submitted the tap-windows6 driver files to the Windows developer dashboard for signing, but I'm not sure how long the process will take. We're probably speaking of at least a week.
The reason for sticking to cross-signing was to have a driver that is supported by all versions of Windows, wasn't it? If we go this attestation signing route, we'll have to jump through too many hoops (aka HLK/HCK) to get a driver that supports not just Win10 but older desktop and server versions. Any changes to tap-windows will become a major pain going forward.
Anyway, the reason cross-signing has failed this time appears to be because the certificate used to sign the new driver was issued in Aug 2016 (not prior to the July 29, 2015 cut-off date). The exception clause for cross-signed cert is not very clear, but seems to imply the signing certificate ("end-entity cert") has to be issued before that date. The old one was issued in 2013.
If that is the case we don't have much option but use cross-signing plus attestation to have one version that supports most end users and another cross-signed only for the rest? There are no good options here.
The process for properly signing drivers for Windows 10 is quite convoluted. I will try to get the signing process sorted out by next week. Installers scripts will require changes so a full release is even farther away.
Tap-windows 9.22.1 does not work on recent Windows 10 that has secure boot on and is a fresh install based on revision 1607 or later. This has everything to do with signatures - Microsoft made signing requirements much more strict and we're setting up the infrastructure to build, sign and test 9.22.1 so that these Windows 10 systems can accept it.
OS: Win 10 x64 (1803 April Update) Build 17134.81 Enterprise Tap-Driver: I tried all of them including the 9.0.0.22, 2.21.2,... None of this posted solutions survive several reboot, it might work at first but after some time you get the same error in Device Manager.
Yesterday I reinstalled my work laptop using Microsoft Windows 10 Enterprise (10.0.17134 Build 17134) and openvpn-install-2.4.6-I602.exe, which includes TAP-Windows 9.21.2, worked flawlessly.
Maybe you have something else on your computer that's interfering?
OK, this is funny.
This afternoon the TAP interface disappeared. In Device Manger the interface was no longer available under Network adapters, however a mysterious "Unknown device" appeared under Other devices, bearing a description of "tap".
I uninstalled the unknown device, uninstalled TAP-Windows, and then reinstalled it using http://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe and lo and behold the device refused to start with the usual error:
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
Here's the install log:
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>> Section start 2018/05/25 16:23:12.828
cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
ndv: Install flags: 0x00000001
ndv: {Update Device Driver - ROOT\NET\0000}
ndv: Search options: 0x00000080
ndv: Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
dvi: {Build Driver List} 16:23:12.891
dvi: Searching for hardware ID(s):
dvi: tap0901
sig: {_VERIFY_FILE_SIGNATURE} 16:23:12.953
sig: Key = oemvista.inf
sig: FilePath = c:\program files\tap-windows\driver\oemvista.inf
sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 16:23:13.078
sig: {_VERIFY_FILE_SIGNATURE} 16:23:13.078
sig: Key = oemvista.inf
sig: FilePath = c:\program files\tap-windows\driver\oemvista.inf
sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 16:23:13.156
dvi: Created Driver Node:
dvi: HardwareID - tap0901
dvi: InfName - c:\program files\tap-windows\driver\oemvista.inf
dvi: DevDesc - TAP-Windows Adapter V9
dvi: Section - tap0901.ndi
dvi: Rank - 0x00ff0000
dvi: Signer Score - Authenticode
dvi: DrvDate - 04/15/2018
dvi: Version - 9.0.0.22
dvi: {Build Driver List - exit(0x00000000)} 16:23:13.203
dvi: {DIF_SELECTBESTCOMPATDRV} 16:23:13.219
dvi: Default installer: Enter 16:23:13.219
dvi: {Select Best Driver}
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: Selected Driver:
dvi: Description - TAP-Windows Adapter V9
dvi: InfFile - c:\program files\tap-windows\driver\oemvista.inf
dvi: Section - tap0901.ndi
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 16:23:13.266
ndv: Force Installing Driver:
ndv: Inf Name - oemvista.inf
ndv: Driver Date - 04/15/2018
ndv: Driver Version - 9.0.0.22
sto: {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 16:23:13.297
inf: Provider: TAP-Windows Provider V9
inf: Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Driver Version: 04/15/2018,9.00.00.22
inf: Catalog File: tap0901.cat
sto: {Copy Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 16:23:13.328
sto: Driver Package = c:\program files\tap-windows\driver\oemvista.inf
sto: Flags = 0x00000007
sto: Destination = C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}
sto: Copying driver package files to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}'.
flq: Copying 'c:\program files\tap-windows\driver\oemvista.inf' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf'.
flq: Copying 'c:\program files\tap-windows\driver\tap0901.cat' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.cat'.
flq: Copying 'c:\program files\tap-windows\driver\tap0901.sys' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.sys'.
sto: {Copy Driver Package: exit(0x00000000)} 16:23:13.391
pol: {Driver package policy check} 16:23:13.453
pol: {Driver package policy check - exit(0x00000000)} 16:23:13.453
sto: {Stage Driver Package: C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf} 16:23:13.453
inf: {Query Configurability: C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf} 16:23:13.469
inf: Driver package 'oemvista.inf' is configurable.
inf: {Query Configurability: exit(0x00000000)} 16:23:13.485
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf'.
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.cat' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat'.
flq: Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.sys' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.sys'.
sto: {DRIVERSTORE IMPORT VALIDATE} 16:23:13.500
sig: {_VERIFY_FILE_SIGNATURE} 16:23:13.563
sig: Key = oemvista.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 16:23:13.625
sig: {_VERIFY_FILE_SIGNATURE} 16:23:13.625
sig: Key = oemvista.inf
sig: FilePath = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf
sig: Catalog = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat
sig: Success: File is signed in Authenticode(tm) catalog.
sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 16:23:13.750
! sig: Driver package signer is unknown, but user trusts signer.
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 16:23:16.110
sig: Signer Score = 0x0F000000
sig: Signer Name = OpenVPN Technologies, Inc.
sto: {DRIVERSTORE IMPORT BEGIN} 16:23:16.110
sto: {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 16:23:16.110
cpy: {Copy Directory: C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}} 16:23:16.110
cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb
cpy: {Copy Directory: exit(0x00000000)} 16:23:16.110
idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf} 16:23:16.125
idb: Created driver package object 'oemvista.inf_amd64_98fc017a6cec15eb' in DRIVERS database node.
idb: Created driver INF file object 'oem32.inf' in DRIVERS database node.
idb: Registered driver package 'oemvista.inf_amd64_98fc017a6cec15eb' with 'oem32.inf'.
idb: {Register Driver Package: exit(0x00000000)} 16:23:16.125
idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf} 16:23:16.125
idb: Activating driver package 'oemvista.inf_amd64_98fc017a6cec15eb'.
cpy: Published 'oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf' to 'oem32.inf'.
idb: Indexed 3 device IDs for 'oemvista.inf_amd64_98fc017a6cec15eb'.
sto: Flushed driver database node 'DRIVERS'. Time = 15 ms
sto: Flushed driver database node 'SYSTEM'. Time = 0 ms
idb: {Publish Driver Package: exit(0x00000000)} 16:23:16.172
sto: {DRIVERSTORE IMPORT END} 16:23:16.172
dvi: Flushed all driver package files to disk. Time = 15 ms
sig: Installed catalog 'tap0901.cat' as 'oem32.cat'.
sto: {DRIVERSTORE IMPORT END: exit(0x00000000)} 16:23:16.313
sto: {Stage Driver Package: exit(0x00000000)} 16:23:16.313
sto: {Setup Import Driver Package - exit (0x00000000)} 16:23:16.328
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: {Plug and Play Service: Device Install for ROOT\NET\0000}
dvi: Driver INF Path: C:\Windows\INF\oem32.inf
dvi: Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.22:tap0901,
dvi: Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf
dvi: Searching for hardware ID(s):
dvi: tap0901
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
dvi: {Core Device Install} 16:23:16.406
dvi: {Install Device - ROOT\NET\0000} 16:23:16.406
dvi: Device Status: 0x01802001, Problem: 0x0 (0x00000000)
dvi: Parent device: HTREE\ROOT\0
dvi: {Configure Device - ROOT\NET\0000} 16:23:16.422
dvi: Device Status: 0x01802001, Problem: 0x0 (0x00000000)
dvi: Parent device: HTREE\ROOT\0
sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf}
sto: Source Filter = tap0901
inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Class Options = Configurable
inf: {Configure Driver: TAP-Windows Adapter V9}
inf: Section Name = tap0901.ndi
inf: {Add Service: tap0901}
inf: Start Type = 3
inf: Service Type = 1
inf: Error Control = 1
inf: Image Path = \SystemRoot\System32\drivers\tap0901.sys
inf: Display Name = TAP-Windows Adapter V9
inf: Group = NDIS
inf: Updated service 'tap0901'.
inf: {Add Service: exit(0x00000000)}
inf: Hardware Id = tap0901
inf: {Configure Driver Configuration: tap0901.ndi}
inf: Service Name = tap0901
inf: Config Flags = 0x00000000
inf: {Configure Driver Configuration: exit(0x00000000)}
inf: {Configure Driver: exit(0x00000000)}
flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
dvi: Existing files modified, may need to restart related services.
sto: {Configure Driver Package: exit(0x00000bc3)}
dvi: Restart required for any devices using this driver.
dvi: Install Device: Configuring device (oem32.inf:tap0901,tap0901.ndi). 16:23:16.500
dvi: Install Device: Configuring device completed. 16:23:16.500
dvi: Device Status: 0x01802001, Problem: 0x0 (0x00000000)
dvi: {Restarting Devices} 16:23:16.500
dvi: Start: ROOT\NET\0000
! dvi: Device pending start: Device has problem: 0x38 (CM_PROB_NEED_CLASS_CONFIG), problem status: 0x00000000.
dvi: {Restarting Devices exit} 16:23:16.531
dvi: {Configure Device - exit(0x00000000)} 16:23:16.531
dvi: Device Status: 0x01802401, Problem: 0x38
dvi: {Install Device - exit(0x00000000)} 16:23:16.547
dvi: {Core Device Install - exit(0x00000000)} 16:23:16.547
dvi: Waiting for device post-install to complete. 16:23:16.563
dvi: Device post-install completed. 16:23:16.735
! dvi: Device post-install problem: 0x34 (0xC0000428)
ump: {Plug and Play Service: Device Install exit(00000000)}
ndv: {Update Device Driver - exit(00000000)}
ndv: {Install Related Drivers} 16:23:16.766
ndv: {Install Related Drivers: exit(0x00000000)} 16:23:16.781
<<< Section end 2018/05/25 16:23:16.813
<<< [Exit status: SUCCESS]
The driver doesn't work and disappear or will get the Error code (yellow triangle) no matter what @crkinard is telling here. I tested it and it's reproducible on all my 1803 machines.
I posted the only working driver already here. It has something to do with Windows Defenders new protection mechanism and Secure Boot/UEFI, even if you disable WD it still starts it's bootstrapper driver and after some reboots, you get Code 52 again.
I don't think it's that simple.
I tried a couple of things.
I uninstalled everything (devices, drivers, programs), rebooted, tried to install http://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe: driver error.
I uninstalled everything, rebooted, installed http://build.openvpn.net/downloads/releases/openvpn-install-2.4.6-I602.exe again (as I did yesterday): everything works and I'm able to connect.
In Windows Defender I have everything except Force randomization for images (mandatory ASLR) (since that screws up Git/Cygwin) enabled:
I agree it's not a simple solution as long it's wrong signed.
Regarding WD's own mechanism to check (and possibly verify drivers [it's not documented]). You can configure it or disable it but it still starts the driver unless you disable/remove it manually.
I was talking about the origin of the problem.
Your hypothesis is not holding, at least for me: Windows is loading the driver, the device is working, I'm able to establish a VPN connection. So it Works For Me™. At the moment.
The driver signature is either always valid or always invalid, it can't be valid for some people and not for others or work fine for hours/days and then suddenly stop working, unless there's something else at play. Is this caused by specific settings? Security suites? Aliens? I don't know.
Hi,
On Fri, May 25, 2018 at 07:44:43AM -0700, CHEF-KOCH wrote:
I have some serious doubts if the developers can't even properly sign the driver how insecure the code is,
Thanks for your trusting words.
last I've seen there wasn't any code audit or review.
Actually, the driver quality is fairly good, which is why we did not have to bother with the recent changes from Microsoft. Our signing process worked fine to the early Win10 versions - and we did not need to release new stuff, because no bugs were found (until recently).
This is really shocking and one update in a year or so is not enough to keep up with MS changes.
If there is nothing to change, there is no need to do updates.
gert
-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
Hi,
On Fri, May 25, 2018 at 08:17:32AM -0700, Albireo wrote:
The driver signature is either always valid or always invalid, it can't be valid for some people and not for others or work fine for hours/days and then suddenly stop working, unless there's something else at play. Is this caused by specific settings? Security suites? Aliens? I don't know.
The signature is valid (as in: the code matches the checksum that the signature attests). But the windows driver requirements have changed, and a normal "full blast EV sha256 code signing certificate" is no longer good enough for Win10/current - the signature is still good, but windows wants a more strongly trusted certificate.
Which we're working on.
gert
-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]