Hi,

Il 06/09/2016 17:22, Jose Alf. ha scritto:
>
> On Tue, 6 Sep 2016 09:34:33 +0200, Gert Doering wrote:
>
> Could you share how you do the silent install / silent update?  Is this
> using wpkg, or something else?
>
> We don't use wpkg, but we take advantage of the same technique they use
> to avoid the Security Confirmation prompt when the driver is being
> installed. This is the same solution reported by Jason Haar in this thread.
>
> However, right now, the story is a bit more complicated. I notice that
> the cabinet file have two signatures, one is the old SHA1 signature that
> expired on Sept 2nd, 2016 and there is a new SHA2 certificate that will
> expire Feb 13, 2019. In my test, I found I had to preload BOTH
> certificates to get rid of the prompt... I only tested on Windows 7 and
> I also had to install 2 patches (KB2921916 and kb3033929). This is
> related to the planned deprecation of SHA1. See
> http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/
>
> <http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/>
> I also checked the tap-windows included in the OpenVPN-NL distribution
> and it also has two signatures by Fox It (one SHA1 with an expired
> certificate and the other SHA2 with a current one). Anyway, I will
> repeat the test on another machine to make sure the behavoir is consistent.

The current tap-windows6 driver indeed has two signatures, the first one 
being SHA1 and the second one being SHA2. Both signatures have 
timestamps, so Windows should accept them just fine after the 
certificate has expired. Of course the certificate expiration and/or 
SHA1 deprecation could trigger the prompts you're seing.

The SHA1 signature is/was needed to support Windows Vista. It was 
created using a normal (non-EV) kernel-mode Authenticode certificate.

The SHA2 signature has been created using an Extended Validation (EV) 
dongle, as anything less would get rejected by later versions of Windows 10.

We now have a new non-EV certificate that replaces the one that expired 
on 3rd September. However, it can only be used to generate SHA2 
signatures, so the next release of tap-windows6 will only have the SHA2 
EV signature and will not work on Windows Vista or Windows 7 
installations that do not have SHA2 support. Therefore I'm inclined to 
just let things be as they are for the time being. If the SHA1 signature 
starts causing issues for non-enterprise users[*] them we obviously need 
remove it.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] Meaning: users who cannot be expected to be able to work around the 
issues they encounter.

------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to