Hi, Il 06/09/2016 17:22, Jose Alf. ha scritto: > > On Tue, 6 Sep 2016 09:34:33 +0200, Gert Doering wrote: > > Could you share how you do the silent install / silent update? Is this > using wpkg, or something else? > > We don't use wpkg, but we take advantage of the same technique they use > to avoid the Security Confirmation prompt when the driver is being > installed. This is the same solution reported by Jason Haar in this thread. > > However, right now, the story is a bit more complicated. I notice that > the cabinet file have two signatures, one is the old SHA1 signature that > expired on Sept 2nd, 2016 and there is a new SHA2 certificate that will > expire Feb 13, 2019. In my test, I found I had to preload BOTH > certificates to get rid of the prompt... I only tested on Windows 7 and > I also had to install 2 patches (KB2921916 and kb3033929). This is > related to the planned deprecation of SHA1. See > http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/ > > <http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/> > I also checked the tap-windows included in the OpenVPN-NL distribution > and it also has two signatures by Fox It (one SHA1 with an expired > certificate and the other SHA2 with a current one). Anyway, I will > repeat the test on another machine to make sure the behavoir is consistent.
The current tap-windows6 driver indeed has two signatures, the first one being SHA1 and the second one being SHA2. Both signatures have timestamps, so Windows should accept them just fine after the certificate has expired. Of course the certificate expiration and/or SHA1 deprecation could trigger the prompts you're seing. The SHA1 signature is/was needed to support Windows Vista. It was created using a normal (non-EV) kernel-mode Authenticode certificate. The SHA2 signature has been created using an Extended Validation (EV) dongle, as anything less would get rejected by later versions of Windows 10. We now have a new non-EV certificate that replaces the one that expired on 3rd September. However, it can only be used to generate SHA2 signatures, so the next release of tap-windows6 will only have the SHA2 EV signature and will not work on Windows Vista or Windows 7 installations that do not have SHA2 support. Therefore I'm inclined to just let things be as they are for the time being. If the SHA1 signature starts causing issues for non-enterprise users[*] them we obviously need remove it. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock [*] Meaning: users who cannot be expected to be able to work around the issues they encounter. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
