Cannot do unattended installation, Trusted Publishers not enough
luizluca opened this issue · 6 comments
Hello,
I'm trying to install openvpn-2.4.7 (with TAP 9.23.3.601) completely unattended. However, tap driver installation always asks for confirmation.
I have "OpenVPN Inc." certificate (valid from 2019/02/12) imported into "Trusted Publishers". However, win7 still asks me to trusts the driver every time I run add-tap.bat. If I manually install the driver from device manager, the behavior is the same.
If I mark to "Always trust software from 'OpenVPN Inc.'", I got the certificate into "Trusted Publishers". If I uninstall the driver but leave "Trusted Publishers" untouched and run addtap.bat again, win7 asks me again to trusts the same driver. It looks like win7 cannot check the signature even with the certificate imported.
I tried to import all Trust chain (DigiCert Root CA and DigiCert EV Code Signing CA) into each certificate container and also all together into "Trusted Publishers". Nothing made tap-windows driver be accepted without confirmation when I run add-tap.bat (after the driver was uninstalled).
I noticed that when I asks windows to trust 'OpenVPN Inc.', it included the certificate in the "Trusted Publishers". However, if I check it in certmgr, windows cannot validate it as it does not have the the intermediate CA (DigiCert EV Code Signing CA) imported. Is it expected? Importing the code signer be enough or should it also include intermediate CA?
What else might be wrong?
Is you Windows 7 instance (badly) behind in Windows updates? We recently had a similar problem because Windows' out-of-the-box intermediate CAs had not been updated in ages.
@mattock , I'll double check windows update (it should be updated).
Anyway, I manually added DigiCert Root CA and DigiCert EV Code Signing CA into each certificate container. It should be enough. Maybe it is missing another update.
This is a well-known behaviour of Windows 7 when the driver is not SHA-1 signed but SHA-256.
Try applying KB2921916 manually. This update is not pushed by Windows Update and needs to be applied manually.
Try applying KB2921916 manually. This update is not pushed by Windows Update and needs to be applied manually.
KB2921916 fixed the issue. Thanks @rozmansi! The problem is that KB2921916 is not published by Microsoft anymore. I needed to get it from other "alternative" sites.
I guess that OpenVPN does not have a valid certificate to sign using SHA-1 anymore (at least until Win7 EOL). It would be ideal to have it double signed (if it could fix the issue).
@luizluca we are unable to sign with SHA-1. What are the alternative sources for KB2921916?