I am an OpenVPN user that is leveraging Windows Defender Application Control (WDAC) on the Windows 10 and Windows 11 workstations that I manage. This WDAC policy requires that all the binaries that are used are whitelisted (based on Code Signing Cert) and while installing the latest installer mentioned in the subject, it turned out that:
- Yes, the mail installer openvpn-connect-18.104.22.16862_signed.msi is signed (With an OpenVPN Inc. signing certificate).
- But... the MSI contains binaries and sub-msi installers that are not. During the installation, the main MSI invokes a secondary MSI from the %localappdata%\temp folder, which is not signed. This results in CodeIntegrity Event viewer (Application and Services Logs/Microsoft/Windows/CodeIntegrity/Operational) errors:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) attempted to load \Device\HarddiskVolume3\Users\<name>\AppData\Local\Temp\MSI2895.tmp that did not meet the Enterprise signing level requirements.
And further into the installation, the ovpnconnect exe binary is also blocked because it is not signed:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) attempted to load \Device\HarddiskVolume3\Program Files\OpenVPN Connect\agent_ovpnconnect_1636713844149.exe that did not meet the Enterprise signing level requirements.
Since OpenVPN is already in the possession of an EV Code Signing cert, could I suggest that ALL the binaries in the MSI and all the binaries contained therein can be signed with that cert? That would make the OpenVPN client installer useable in situations where App Control is in place.
Official client software for OpenVPN Access Server and OpenVPN Cloud.
1 post • Page 1 of 1
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Dec 02, 2021 4:04 pm