Page 1 of 1
TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Thu Dec 09, 2021 8:47 pm
by rsk
I downloaded and installed
Code: Select all
openvpn-connect-3.3.3.2562_signed.msi
on a Windoze 7 (64-bit) desktop.
The
TAP-Windows Adapter V9 for OpenVPN Connect shows up in the Device manager with a warning symbol and the status notation
Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
The signature verification log also shows this:
Code: Select all
tap_ovpnconnect.sys 11/12/2021 9.24.2.601 Not Signed N/A
However, in the Powershell, I see this when I run
Get-AuthenticodeSignature .\tap_ovpnconnect.cat in the
drivers\tap\amd64\win7 directory:
Code: Select all
SignerCertificate Status Path
----------------- ------ ----
478646B53E3F991A02E8A04D36B178DB1AFFF851 Valid tap_ovpnconnect.cat
And if I "run"
from a command line, up pops a window which suggests that everything is in order.
After searching this forum for answers, I see this is a perennial problem that goes back a long ways, but I cannot find any very recent instructions on how to correct the difficulty.
I've installed openvpn connect on other machines, even under Windows XP, and just the other day, had no difficulty installing and running the Android version on a new phone.
I'd be grateful for some guidance.
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Fri Dec 10, 2021 1:34 am
by rsk
TinCanTech wrote: ↑Thu Dec 09, 2021 9:09 pm
rsk wrote: ↑Thu Dec 09, 2021 8:47 pm
on a Windoze 7 (64-bit) desktop
Make sure it is up to date with Micro-shaft, otherwise, it will not recognise the driver signing certificate.
At some point, I found a thread on this subject that pointed to a particular KB patch from them, but when I attempted to apply it, it said it wasn't applicable to my version.
I still don't quite understand how I can get past this and run OpenVPN on this machine, or just what I need to do to make the driver-signing certificate recognizable.
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Sat Dec 11, 2021 9:52 pm
by openvpn_inc
Hello rsk,
Just to state this outright - Windows 7 is no longer supported by Microsoft. You should switch to an updated version.
With that out of the way, OpenVPN Connect v3.3.3 does work and install just fine on Windows 7. However there is an important thing to note about Windows 7. It did not originally start out supporting drivers with SHA2 signed certificates. Microsoft eventually switched from SHA1 to SHA2 and brought out updates for Windows 7 to add that support. If your system doesn't have that, then it can't verify the driver.
This page on the Microsoft website explains more about this
https://support.microsoft.com/en-us/top ... a4cde8e64f
I can report that when I tried it just now on Windows 7 Home Premium Server Pack 1 64 bit OS, it installed correctly. There was a popup asking me if I wanted to install the driver, and I clicked install, and now it is installed and working. When I look up the driver in device management it shows up as working correctly. I attached a screenshot as proof.
I advise that you upgrade to an operating system that is actually supported today for security updates. Windows 7 no longer is getting updates. If you insist on sticking with Windows 7 then I can at least advise you that, yes, it still works. However, you may need to figure out which updates you're missing to get the necessary support for SHA2 signed drivers in your Windows 7 installation. Or figure out what's wrong in your OS that's preventing things from being verified correctly.
Kind regards,
Johan
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Sun Dec 12, 2021 8:20 pm
by rsk
Yes, now that I understand the difficulty is that my present system cannot verify using the SHA-2 algorithm, I located the update, and will let you know after install and restart.
Thank you for taking the time and trouble to explain what is the matter so clearly.
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Mon Dec 13, 2021 12:34 am
by rsk
openvpn_inc wrote: ↑Sat Dec 11, 2021 9:52 pm
. . . OpenVPN Connect v3.3.3 does work and install just fine on Windows 7. However there is an important thing to note about Windows 7. It did not originally start out supporting drivers with SHA2 signed certificates. Microsoft eventually switched from SHA1 to SHA2 and brought out updates for Windows 7 to add that support. If your system doesn't have that, then it can't verify the driver.
This page on the Microsoft website explains more about this
https://support.microsoft.com/en-us/top ... a4cde8e64f
. . .
Kind regards,
Johan
Thank you, Johan, that guidance got to me to the update patch which I needed to apply, specifically, for my system:
Security Update for Windows 7 for x64-based Systems (KB4474419)
windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu
I uninstalled the TAP-Windows Adapter, applied the patch, rebooted, and re-ran the OpenVPN Connect installation, chose the "repair" option, and as you said, it installed just fine, and OpenVPN Connect is now operating as expected (although I still need to configure it to use an appropriate DNS server, as it seems unable to locate certain sites--but that's a different problem altogether.
Once again thank you very much for responding thoroughly to my naive inquiry, and pointing me toward what I needed to do. You got me past the problem and I'm up and running.
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Fri Apr 01, 2022 11:18 am
by ivan.p
Hello,
I have the same problem on Windows 7 x64. The question is why SHA1 hash for tap_ovpnconnect.sys file in the catalog is wrong?
Here's the list of files extracted from MSI (latest openvpn-connect-3.3.6.2752_signed.msi ):
Tha CAT file signature is fine. You can see that CAT file contains 2 hashes:
INF - 4EA7EFACF8D968C662F43AE4723A816B53293EBC
SYS - 58CCFDF3B3A9D56CFEB36658AAEEB83220FD8A03
As you can see in the picture above, the actual SHA1 hash for INF-file is the same, but for SYS file it is different.
It's 3CE2079895230254E1627D435365ACD3CC3E440E (and that is the hash of tap_ovpnconnect.sys located in c:\windows\system\drivers after installation)
So I believe the problem is not in that Win7 doesn't have an update for SHA256 hashes, but in that SYS-file in the distribution doesn't correspond the CAT-file.
Could someone look into this issue?
Re: TAP-Windows Adapter "cannot verify signature" (Code 52)
Posted: Fri Apr 01, 2022 6:15 pm
by ivan.p
Ahhh, my bad. Before calculating hash for driver I need to exlude PE checksum and PE certificate table reference. After doing that hashes matched.
But in this case I don't understand why it doesn't work: I have a plenty of unsigned sys-files in my win 7, and they do work. Maybe the timestamp of signing matters