Cannot do unattended installation, Trusted Publishers not enough

Question

Cannot do unattended installation, Trusted Publishers not enough

luizluca opened this issue 5 years ago · comments

Luiz Angelo Daros de Luca commented 5 years ago

Hello,

I'm trying to install openvpn-2.4.7 (with TAP 9.23.3.601) completely unattended. However, tap driver installation always asks for confirmation.

I have "OpenVPN Inc." certificate (valid from 2019/02/12) imported into "Trusted Publishers". However, win7 still asks me to trusts the driver every time I run add-tap.bat. If I manually install the driver from device manager, the behavior is the same.

If I mark to "Always trust software from 'OpenVPN Inc.'", I got the certificate into "Trusted Publishers". If I uninstall the driver but leave "Trusted Publishers" untouched and run addtap.bat again, win7 asks me again to trusts the same driver. It looks like win7 cannot check the signature even with the certificate imported.

I tried to import all Trust chain (DigiCert Root CA and DigiCert EV Code Signing CA) into each certificate container and also all together into "Trusted Publishers". Nothing made tap-windows driver be accepted without confirmation when I run add-tap.bat (after the driver was uninstalled).

I noticed that when I asks windows to trust 'OpenVPN Inc.', it included the certificate in the "Trusted Publishers". However, if I check it in certmgr, windows cannot validate it as it does not have the the intermediate CA (DigiCert EV Code Signing CA) imported. Is it expected? Importing the code signer be enough or should it also include intermediate CA?

What else might be wrong?

Samuli Seppänen · Answer 1 · Wed Jun 26 2019 13:21:37 GMT+0800 (China Standard Time)

Is you Windows 7 instance (badly) behind in Windows updates? We recently had a similar problem because Windows' out-of-the-box intermediate CAs had not been updated in ages.

Luiz Angelo Daros de Luca · Answer 2 · Wed Jun 26 2019 14:30:31 GMT+0800 (China Standard Time)

@mattock , I'll double check windows update (it should be updated).
Anyway, I manually added DigiCert Root CA and DigiCert EV Code Signing CA into each certificate container. It should be enough. Maybe it is missing another update.

Simon Rozman · Answer 3 · Thu Jul 04 2019 21:28:20 GMT+0800 (China Standard Time)

This is a well-known behaviour of Windows 7 when the driver is not SHA-1 signed but SHA-256.

Try applying KB2921916 manually. This update is not pushed by Windows Update and needs to be applied manually.

Luiz Angelo Daros de Luca · Answer 4 · Sat Jul 06 2019 10:48:02 GMT+0800 (China Standard Time)

Try applying KB2921916 manually. This update is not pushed by Windows Update and needs to be applied manually.

KB2921916 fixed the issue. Thanks @rozmansi! The problem is that KB2921916 is not published by Microsoft anymore. I needed to get it from other "alternative" sites.

I guess that OpenVPN does not have a valid certificate to sign using SHA-1 anymore (at least until Win7 EOL). It would be ideal to have it double signed (if it could fix the issue).

Samuli Seppänen · Answer 5 · Thu Jul 11 2019 15:37:14 GMT+0800 (China Standard Time)

@luizluca we are unable to sign with SHA-1. What are the alternative sources for KB2921916?

Luiz Angelo Daros de Luca · Answer 6 · Fri Jul 12 2019 07:24:44 GMT+0800 (China Standard Time)

@luizluca we are unable to sign with SHA-1. What are the alternative sources for KB2921916?

Google ;-)

http://thehotfixshare.net/board/index.php?showtopic=21214