TAP-Windows Adapter "cannot verify signature" (Code 52)

[rsk]

I downloaded and installed

Code: Select all

openvpn-connect-3.3.3.2562_signed.msi

on a Windoze 7 (64-bit) desktop.

The TAP-Windows Adapter V9 for OpenVPN Connect shows up in the Device manager with a warning symbol and the status notation

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

The signature verification log also shows this:

Code: Select all

tap_ovpnconnect.sys      11/12/2021     9.24.2.601          Not Signed          N/A 

However, in the Powershell, I see this when I run Get-AuthenticodeSignature .\tap_ovpnconnect.cat in the drivers\tap\amd64\win7 directory:

Code: Select all

SignerCertificate                         Status                                                                                       Path
-----------------                         ------                                                                                       ----
478646B53E3F991A02E8A04D36B178DB1AFFF851  Valid                                                                                        tap_ovpnconnect.cat

And if I "run"

Code: Select all

tap_ovpnconnect.cat

from a command line, up pops a window which suggests that everything is in order.

After searching this forum for answers, I see this is a perennial problem that goes back a long ways, but I cannot find any very recent instructions on how to correct the difficulty.

I've installed openvpn connect on other machines, even under Windows XP, and just the other day, had no difficulty installing and running the Android version on a new phone.

I'd be grateful for some guidance.

[rsk]

on a Windoze 7 (64-bit) desktop

Make sure it is up to date with Micro-shaft, otherwise, it will not recognise the driver signing certificate.

At some point, I found a thread on this subject that pointed to a particular KB patch from them, but when I attempted to apply it, it said it wasn't applicable to my version.

I still don't quite understand how I can get past this and run OpenVPN on this machine, or just what I need to do to make the driver-signing certificate recognizable.

[openvpn_inc]

Hello rsk,

Just to state this outright - Windows 7 is no longer supported by Microsoft. You should switch to an updated version.

With that out of the way, OpenVPN Connect v3.3.3 does work and install just fine on Windows 7. However there is an important thing to note about Windows 7. It did not originally start out supporting drivers with SHA2 signed certificates. Microsoft eventually switched from SHA1 to SHA2 and brought out updates for Windows 7 to add that support. If your system doesn't have that, then it can't verify the driver.

This page on the Microsoft website explains more about this https://support.microsoft.com/en-us/top ... a4cde8e64f

I can report that when I tried it just now on Windows 7 Home Premium Server Pack 1 64 bit OS, it installed correctly. There was a popup asking me if I wanted to install the driver, and I clicked install, and now it is installed and working. When I look up the driver in device management it shows up as working correctly. I attached a screenshot as proof.

I advise that you upgrade to an operating system that is actually supported today for security updates. Windows 7 no longer is getting updates. If you insist on sticking with Windows 7 then I can at least advise you that, yes, it still works. However, you may need to figure out which updates you're missing to get the necessary support for SHA2 signed drivers in your Windows 7 installation. Or figure out what's wrong in your OS that's preventing things from being verified correctly.



Kind regards,
Johan

[rsk]

Yes, now that I understand the difficulty is that my present system cannot verify using the SHA-2 algorithm, I located the update, and will let you know after install and restart.

Thank you for taking the time and trouble to explain what is the matter so clearly.

[rsk]

. . . OpenVPN Connect v3.3.3 does work and install just fine on Windows 7. However there is an important thing to note about Windows 7. It did not originally start out supporting drivers with SHA2 signed certificates. Microsoft eventually switched from SHA1 to SHA2 and brought out updates for Windows 7 to add that support. If your system doesn't have that, then it can't verify the driver.

This page on the Microsoft website explains more about this https://support.microsoft.com/en-us/top ... a4cde8e64f
. . .
Kind regards,
Johan

Thank you, Johan, that guidance got to me to the update patch which I needed to apply, specifically, for my system:

Security Update for Windows 7 for x64-based Systems (KB4474419)
windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu

I uninstalled the TAP-Windows Adapter, applied the patch, rebooted, and re-ran the OpenVPN Connect installation, chose the "repair" option, and as you said, it installed just fine, and OpenVPN Connect is now operating as expected (although I still need to configure it to use an appropriate DNS server, as it seems unable to locate certain sites--but that's a different problem altogether.

Once again thank you very much for responding thoroughly to my naive inquiry, and pointing me toward what I needed to do. You got me past the problem and I'm up and running.

[ivan.p]

Hello,
I have the same problem on Windows 7 x64. The question is why SHA1 hash for tap_ovpnconnect.sys file in the catalog is wrong?

Here's the list of files extracted from MSI (latest openvpn-connect-3.3.6.2752_signed.msi ):


Tha CAT file signature is fine. You can see that CAT file contains 2 hashes:
INF - 4EA7EFACF8D968C662F43AE4723A816B53293EBC
SYS - 58CCFDF3B3A9D56CFEB36658AAEEB83220FD8A03

As you can see in the picture above, the actual SHA1 hash for INF-file is the same, but for SYS file it is different.
It's 3CE2079895230254E1627D435365ACD3CC3E440E (and that is the hash of tap_ovpnconnect.sys located in c:\windows\system\drivers after installation)

So I believe the problem is not in that Win7 doesn't have an update for SHA256 hashes, but in that SYS-file in the distribution doesn't correspond the CAT-file.

Could someone look into this issue?

[ivan.p]

Ahhh, my bad. Before calculating hash for driver I need to exlude PE checksum and PE certificate table reference. After doing that hashes matched.

But in this case I don't understand why it doesn't work: I have a plenty of unsigned sys-files in my win 7, and they do work. Maybe the timestamp of signing matters