New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installer for 9.22.1 throws a signature error. #49

Open
crkinard opened this Issue Apr 25, 2018 · 44 comments

Comments

Projects
None yet
@crkinard

crkinard commented Apr 25, 2018

After installing 9.22.1 the adapter in device manager throws the following error.

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

Microsoft Windows 10 Enterprise 2016 LTSB
10.0.14393 Build 14393

Microsoft Windows 10 Pro
10.0.16299 Build 16299

@cron2

This comment has been minimized.

Contributor

cron2 commented Apr 25, 2018

@crkinard

This comment has been minimized.

crkinard commented Apr 25, 2018

Updated the initial post. Two machines.

The enterprise one is updated fully to WSUS settings so it MIGHT be missing something.
The pro machine updates directly with Microsoft and has all updates (check for updates says there are none).

I have a third I can try it on at home but its the same install as the pro machine and fully updated. Reloaded both pro machines in the last day so little is on them at the moment.

@cron2

This comment has been minimized.

Contributor

cron2 commented Apr 25, 2018

Win10 should certainly work (and did, in our tests).

We expected failures on old Win7 installs (due to SHA2 signatures not being supported yet), and Vista (for the same reasons).

@chipitsine

This comment has been minimized.

Contributor

chipitsine commented Apr 25, 2018

@RobertHerter

This comment has been minimized.

RobertHerter commented Apr 25, 2018

Win 10 Build 17134 same Problem.
Signature Error

@mattock

This comment has been minimized.

Member

mattock commented Apr 25, 2018

Please copy and paste the relevant part of C:\Windows\inf\setupapi.dev.log here. That will give more clues about the signature error.

@crkinard

This comment has been minimized.

crkinard commented Apr 25, 2018

Emptied the file and re-ran the installer. I think this is what you need.
setupapi.dev.log

@mattock

This comment has been minimized.

Member

mattock commented Apr 25, 2018

@crkinard can you confirm that the problem is not present in tap-windows-9.21.2.exe? Also please post setupapi.dev.log for that one here so that we can have a look at the difference.

@crkinard

This comment has been minimized.

crkinard commented Apr 25, 2018

2.21.2 worked.
setupapi.dev.log
capture

EDIT: Never mind what I had here last. I'm a gord. Didnt restart the service for OpenVPN that handles running admin level tasks after installing 2.21.2

@mattock

This comment has been minimized.

Member

mattock commented Apr 25, 2018

I will have a look at the setupapi.dev.log files tomorrow morning if all goes well.

@Ronny-N

This comment has been minimized.

Ronny-N commented Apr 26, 2018

I can confirm the same signature problem for 9.22.1 for Win 10 Pro 1709 (Build 16299.402).
Installing the driver 9.21.2 from @mattock did work fine.

@kappa7194

This comment has been minimized.

kappa7194 commented Apr 26, 2018

I have this problem too.

OS Name: Windows 10 Enterprise 2016 LTSB
OS Version: N/A Build 14393

Version 9.22.1 fails with CM_PROB_UNSIGNED_DRIVER error while version 9.21.2 works, although with some warnings.

9.22.1 install log:

>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>>  Section start 2018/04/26 11:34:42.566
      cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe"  install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
     ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
     ndv: Install flags: 0x00000001
     ndv: {Update Device Driver - ROOT\NET\0000}
     ndv:      Search options: 0x00000080
     ndv:      Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
     dvi:      {Build Driver List} 11:34:42.607
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Created Driver Node:
     dvi:                HardwareID   - tap0901
     dvi:                InfName      - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                DevDesc      - TAP-Windows Adapter V9
     dvi:                Section      - tap0901.ndi
     dvi:                Rank         - 0x00ff0000
     dvi:                Signer Score - Authenticode
     dvi:                DrvDate      - 04/15/2018
     dvi:                Version      - 9.0.0.22
     dvi:      {Build Driver List - exit(0x00000000)} 11:34:42.669
     dvi:      {DIF_SELECTBESTCOMPATDRV} 11:34:42.674
     dvi:           Default installer: Enter 11:34:42.681
     dvi:                {Select Best Driver}
     dvi:                     Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:                     Selected:
     dvi:                          Description - [TAP-Windows Adapter V9]
     dvi:                          InfFile     - [c:\program files\tap-windows\driver\oemvista.inf]
     dvi:                          Section     - [tap0901.ndi]
     dvi:                {Select Best Driver - exit(0x00000000)}
     dvi:           Default installer: Exit
     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 11:34:42.726
     ndv:      Forcing driver install:
     ndv:           Inf Name       - oemvista.inf
     ndv:           Driver Date    - 04/15/2018
     ndv:           Driver Version - 9.0.0.22
     sto:      {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:34:42.751
     sto:           Driver package already imported as 'oem24.inf'.
     sto:      {Setup Import Driver Package - exit (0x00000000)} 11:34:42.762
     dvi:      Searching for hardware ID(s):
     dvi:           tap0901
     dvi:      Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:      {Plug and Play Service: Device Install for ROOT\NET\0000}
     ndv:           Driver INF Path: C:\Windows\INF\oem24.inf
     ndv:           Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.22:tap0901
     ndv:           Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     ndv:           {Core Device Install} 11:34:42.803
     ndv:                {Install Device - ROOT\NET\0000} 11:34:42.805
     ndv:                     Parent device: HTREE\ROOT\0
     ndv:                     {Configure Device - ROOT\NET\0000} 11:34:42.811
     ndv:                          Parent device: HTREE\ROOT\0
     sto:                          {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf}
     sto:                               Source Filter  = tap0901
     inf:                               Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:                               Class Options  = Configurable
     inf:                               {Configure Driver: TAP-Windows Adapter V9}
     inf:                                    Section Name = tap0901.ndi
     inf:                                    {Add Service: tap0901}
     inf:                                         Start Type    = 3
     inf:                                         Service Type  = 1
     inf:                                         Error Control = 1
     inf:                                         Image Path    = \SystemRoot\System32\drivers\tap0901.sys
     inf:                                         Display Name  = TAP-Windows Adapter V9
     inf:                                         Group         = NDIS
     inf:                                         Updated service 'tap0901'.
     inf:                                    {Add Service: exit(0x00000000)}
     inf:                                    Hardware Id  = tap0901
     inf:                                    {Configure Driver Configuration: tap0901.ndi}
     inf:                                         Service Name  = tap0901
     inf:                                         Config Flags  = 0x00000000
     inf:                                    {Configure Driver Configuration: exit(0x00000000)}
     inf:                               {Configure Driver: exit(0x00000000)}
     flq:                               Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
     cpy:                               Existing file 'C:\Windows\System32\drivers\tap0901.sys' remains unchanged.
     sto:                          {Configure Driver Package: exit(0x00000000)}
     dvi:                          Install Device: Configuring device (oem24.inf:tap0901,tap0901.ndi). 11:34:42.857
     dvi:                          Install Device: Configuring device completed. 11:34:42.861
     dvi:                          Install Device: Starting device. 11:34:42.862
     dvi:                          Install Device: Starting device completed. 11:34:42.869
!!!  dvi:                          Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.
     ndv:                     {Configure Device - exit(0x00000000)} 11:34:42.872
!    ndv:                     Queueing up error report since device has a PnP problem...
     ndv:                {Install Device - exit(0x00000000)} 11:34:42.997
     ndv:           {Core Device Install - exit(0x00000000)} 11:34:42.998
     ump:      {Plug and Play Service: Device Install exit(00000000)}
     ndv: {Update Device Driver - exit(00000000)}
<<<  Section end 2018/04/26 11:34:43.018
<<<  [Exit status: SUCCESS]

9.21.2 install log:

>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>>  Section start 2018/04/26 11:47:02.423
      cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
     ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
     ndv: Install flags: 0x00000001
     ndv: {Update Device Driver - ROOT\NET\0000}
     ndv:      Search options: 0x00000080
     ndv:      Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
     dvi:      {Build Driver List} 11:47:02.464
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     sig:           {_VERIFY_FILE_SIGNATURE} 11:47:02.557
     sig:                Key      = oemvista.inf
     sig:                FilePath = c:\program files\tap-windows\driver\oemvista.inf
     sig:                Catalog  = c:\program files\tap-windows\driver\tap0901.cat
!    sig:                Verifying file against specific (valid) catalog failed! (0x800b0109)
!    sig:                Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:47:02.619
     sig:           {_VERIFY_FILE_SIGNATURE} 11:47:02.624
     sig:                Key      = oemvista.inf
     sig:                FilePath = c:\program files\tap-windows\driver\oemvista.inf
     sig:                Catalog  = c:\program files\tap-windows\driver\tap0901.cat
     sig:                Success: File is signed in Authenticode(tm) catalog.
     sig:                Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 11:47:02.676
     dvi:           Created Driver Node:
     dvi:                HardwareID   - tap0901
     dvi:                InfName      - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                DevDesc      - TAP-Windows Adapter V9
     dvi:                Section      - tap0901.ndi
     dvi:                Rank         - 0x00ff0000
     dvi:                Signer Score - Authenticode
     dvi:                DrvDate      - 04/21/2016
     dvi:                Version      - 9.0.0.21
     dvi:      {Build Driver List - exit(0x00000000)} 11:47:02.725
     dvi:      {DIF_SELECTBESTCOMPATDRV} 11:47:02.731
     dvi:           Default installer: Enter 11:47:02.737
     dvi:                {Select Best Driver}
     dvi:                     Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:                     Selected:
     dvi:                          Description - [TAP-Windows Adapter V9]
     dvi:                          InfFile     - [c:\program files\tap-windows\driver\oemvista.inf]
     dvi:                          Section     - [tap0901.ndi]
     dvi:                {Select Best Driver - exit(0x00000000)}
     dvi:           Default installer: Exit
     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 11:47:02.783
     ndv:      Forcing driver install:
     ndv:           Inf Name       - oemvista.inf
     ndv:           Driver Date    - 04/21/2016
     ndv:           Driver Version - 9.0.0.21
     sto:      {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:47:02.808
     inf:           Provider: TAP-Windows Provider V9
     inf:           Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:           Driver Version: 04/21/2016,9.00.00.21
     inf:           Catalog File: tap0901.cat
     sto:           {Copy Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 11:47:02.834
     sto:                Driver Package = c:\program files\tap-windows\driver\oemvista.inf
     sto:                Flags          = 0x00000007
     sto:                Destination    = C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}
     sto:                Copying driver package files to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}'.
     flq:                Copying 'c:\program files\tap-windows\driver\oemvista.inf' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf'.
     flq:                Copying 'c:\program files\tap-windows\driver\tap0901.cat' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.cat'.
     flq:                Copying 'c:\program files\tap-windows\driver\tap0901.sys' to 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.sys'.
     sto:           {Copy Driver Package: exit(0x00000000)} 11:47:02.887
     pol:           {Driver package policy check} 11:47:02.918
     pol:           {Driver package policy check - exit(0x00000000)} 11:47:02.919
     sto:           {Stage Driver Package: C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf} 11:47:02.920
     inf:                {Query Configurability: C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf} 11:47:02.924
     inf:                     Driver package 'oemvista.inf' is configurable.
     inf:                {Query Configurability: exit(0x00000000)} 11:47:02.927
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\oemvista.inf' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf'.
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.cat' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat'.
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{fa165b75-b798-8a42-b752-354f99662d82}\tap0901.sys' to 'C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.sys'.
     sto:                {DRIVERSTORE IMPORT VALIDATE} 11:47:02.955
     sig:                     {_VERIFY_FILE_SIGNATURE} 11:47:02.980
     sig:                          Key      = oemvista.inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat
!    sig:                          Verifying file against specific (valid) catalog failed! (0x800b0109)
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 11:47:02.999
     sig:                     {_VERIFY_FILE_SIGNATURE} 11:47:02.999
     sig:                          Key      = oemvista.inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\oemvista.inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}\tap0901.cat
     sig:                          Success: File is signed in Authenticode(tm) catalog.
     sig:                          Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 11:47:03.026
!    sig:                     Driver package signer is unknown, but user trusts signer.
     sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 11:47:06.237
     sig:                Signer Score = 0x0F000000
     sig:                Signer Name  = OpenVPN Technologies, Inc.
     sto:                {DRIVERSTORE IMPORT BEGIN} 11:47:06.240
     sto:                {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 11:47:06.241
     cpy:                {Copy Directory: C:\Windows\System32\DriverStore\Temp\{5d879624-c75f-be48-9c56-f83ce75e10d1}} 11:47:06.242
     cpy:                     Target Path = C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28
     cpy:                {Copy Directory: exit(0x00000000)} 11:47:06.244
     idb:                {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf} 11:47:06.246
     idb:                     Created driver package object 'oemvista.inf_amd64_a572b7f20c402d28' in DRIVERS database node.
     idb:                     Created driver INF file object 'oem24.inf' in DRIVERS database node.
     idb:                     Registered driver package 'oemvista.inf_amd64_a572b7f20c402d28' with 'oem24.inf'.
     idb:                {Register Driver Package: exit(0x00000000)} 11:47:06.251
     idb:                {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf} 11:47:06.252
     idb:                     Activating driver package 'oemvista.inf_amd64_a572b7f20c402d28'.
     cpy:                     Published 'oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf' to 'oem24.inf'.
     idb:                     Indexed 3 device IDs for 'oemvista.inf_amd64_a572b7f20c402d28'.
     sto:                     Flushed driver database node 'DRIVERS'. Time = 0 ms
     sto:                     Flushed driver database node 'SYSTEM'. Time = 0 ms
     idb:                {Publish Driver Package: exit(0x00000000)} 11:47:06.269
     sto:                {DRIVERSTORE IMPORT END} 11:47:06.271
     dvi:                     Flushed all driver package files to disk. Time = 0 ms
     sig:                     Installed catalog 'tap0901.cat' as 'oem24.cat'.
     sto:                {DRIVERSTORE IMPORT END: exit(0x00000000)} 11:47:06.291
     sto:           {Stage Driver Package: exit(0x00000000)} 11:47:06.293
     sto:      {Setup Import Driver Package - exit (0x00000000)} 11:47:06.307
     dvi:      Searching for hardware ID(s):
     dvi:           tap0901
     dvi:      Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:      {Plug and Play Service: Device Install for ROOT\NET\0000}
     ndv:           Driver INF Path: C:\Windows\INF\oem24.inf
     ndv:           Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901
     ndv:           Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     ndv:           {Core Device Install} 11:47:06.351
     ndv:                {Install Device - ROOT\NET\0000} 11:47:06.353
     ndv:                     Parent device: HTREE\ROOT\0
     ndv:                     {Configure Device - ROOT\NET\0000} 11:47:06.359
     ndv:                          Parent device: HTREE\ROOT\0
     sto:                          {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf}
     sto:                               Source Filter  = tap0901
     inf:                               Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:                               Class Options  = Configurable
     inf:                               {Configure Driver: TAP-Windows Adapter V9}
     inf:                                    Section Name = tap0901.ndi
     inf:                                    {Add Service: tap0901}
     inf:                                         Start Type    = 3
     inf:                                         Service Type  = 1
     inf:                                         Error Control = 1
     inf:                                         Image Path    = \SystemRoot\System32\drivers\tap0901.sys
     inf:                                         Display Name  = TAP-Windows Adapter V9
     inf:                                         Group         = NDIS
     inf:                                         Updated service 'tap0901'.
     inf:                                    {Add Service: exit(0x00000000)}
     inf:                                    Hardware Id  = tap0901
     inf:                                    {Configure Driver Configuration: tap0901.ndi}
     inf:                                         Service Name  = tap0901
     inf:                                         Config Flags  = 0x00000000
     inf:                                    {Configure Driver Configuration: exit(0x00000000)}
     inf:                               {Configure Driver: exit(0x00000000)}
     flq:                               Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
     dvi:                               Existing files modified, may need to restart related services.
     sto:                          {Configure Driver Package: exit(0x00000bc3)}
     ndv:                          Restart required for any devices using this driver.
     dvi:                          Install Device: Configuring device (oem24.inf:tap0901,tap0901.ndi). 11:47:06.405
     dvi:                          Install Device: Configuring device completed. 11:47:06.410
     dvi:                          {Restarting Devices} 11:47:06.411
     dvi:                               Restart: ROOT\NET\0000
     dvi:                          {Restarting Devices exit} 11:47:06.456
     ndv:                     {Configure Device - exit(0x00000000)} 11:47:06.457
     ndv:                {Install Device - exit(0x00000000)} 11:47:06.471
     ndv:           {Core Device Install - exit(0x00000000)} 11:47:06.472
     ndv:           Waiting for device post-install to complete. 11:47:06.474
     ndv:           Device post-install completed. 11:47:06.570
     ump:      {Plug and Play Service: Device Install exit(00000000)}
     ndv: {Update Device Driver - exit(00000000)}
<<<  Section end 2018/04/26 11:47:06.618
<<<  [Exit status: SUCCESS]
@mattock

This comment has been minimized.

Member

mattock commented Apr 26, 2018

The root of the problem is this:

Device not started: Device has problem: 0x34 (CM_PROB_UNSIGNED_DRIVER), problem status: 0xc0000428.

Can you check if the driver is present in the device drivers dialog in the Windows control panel? I think it should be there, but probably shows an exclamation mark. In other words, it has been installed successfully, but the kernel refuses to load it.

@crkinard

This comment has been minimized.

crkinard commented Apr 26, 2018

That is exactly how it is. Shows up in device manager with a driver but refuses to load it because of bad signing.

@mattock

This comment has been minimized.

Member

mattock commented Apr 26, 2018

As a short-term workaround I built new Windows installer which include the old (9.21.2) tap-windows6 driver:

Out of curiosity I will try to follow the exact same signing process as for 9.21.2 (dual signatures) to see if that makes any difference. If not, then I will go the hardware dev portal route.

@mattock

This comment has been minimized.

Member

mattock commented Apr 26, 2018

@mattock

This comment has been minimized.

Member

mattock commented Apr 26, 2018

It is not dual-signed (don't have the SHA1 key). But the driver file itself (tap0901.sys) now has a signature. Previously only the security catalog (tap0901.cat) had it.

@igpit

This comment has been minimized.

igpit commented Apr 26, 2018

same problem here on a fresh w10pro install. tested:

the new linked "tap-windows-9.22.1-I602.exe" still throws error 52 signature problem in device manager.

the above workaround installer including the old tap (9.21.2) works nicely.

@mattock

This comment has been minimized.

Member

mattock commented Apr 27, 2018

I made the workaround installer official until I get the signature issue resolved. I submitted the tap-windows6 driver files to the Windows developer dashboard for signing, but I'm not sure how long the process will take. We're probably speaking of at least a week.

@selvanair

This comment has been minimized.

Collaborator

selvanair commented Apr 27, 2018

The reason for sticking to cross-signing was to have a driver that is supported by all versions of Windows, wasn't it? If we go this attestation signing route, we'll have to jump through too many hoops (aka HLK/HCK) to get a driver that supports not just Win10 but older desktop and server versions. Any changes to tap-windows will become a major pain going forward.

Anyway, the reason cross-signing has failed this time appears to be because the certificate used to sign the new driver was issued in Aug 2016 (not prior to the July 29, 2015 cut-off date). The exception clause for cross-signed cert is not very clear, but seems to imply the signing certificate ("end-entity cert") has to be issued before that date. The old one was issued in 2013.

If that is the case we don't have much option but use cross-signing plus attestation to have one version that supports most end users and another cross-signed only for the rest? There are no good options here.

@ghost

This comment has been minimized.

ghost commented May 3, 2018

Same error for me.
Signature error with the new 2.4.6 installer

@mattock

This comment has been minimized.

Member

mattock commented May 4, 2018

The process for properly signing drivers for Windows 10 is quite convoluted. I will try to get the signing process sorted out by next week. Installers scripts will require changes so a full release is even farther away.

@CHEF-KOCH

This comment has been minimized.

CHEF-KOCH commented May 24, 2018

OS: Win 10 x64 (1803 April Update) Build 17134.81 Enterprise
Tap-Driver: I tried all of them including the 9.0.0.22, 2.21.2,...
Log: dev log.txt
untitled
gerg
hgrh

>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>>  Section start 2018/05/24 23:59:13.455
      cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
     ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
     ndv: Install flags: 0x00000001
     ndv: {Update Device Driver - ROOT\NET\0000}
     ndv:      Search options: 0x00000080
     ndv:      Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
     dvi:      {Build Driver List} 23:59:13.484
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Created Driver Node:
     dvi:                HardwareID   - tap0901
     dvi:                InfName      - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                DevDesc      - TAP-Windows Adapter V9
     dvi:                Section      - tap0901.ndi
     dvi:                Rank         - 0x00ff0000
     dvi:                Signer Score - Authenticode
     dvi:                DrvDate      - 04/15/2018
     dvi:                Version      - 9.0.0.22
     dvi:      {Build Driver List - exit(0x00000000)} 23:59:13.531
     dvi:      {DIF_SELECTBESTCOMPATDRV} 23:59:13.535
     dvi:           Default installer: Enter 23:59:13.539
     dvi:                {Select Best Driver}
     dvi:                     Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:                     Selected Driver:
     dvi:                          Description - TAP-Windows Adapter V9
     dvi:                          InfFile     - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                          Section     - tap0901.ndi
     dvi:                {Select Best Driver - exit(0x00000000)}
     dvi:           Default installer: Exit
     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 23:59:13.572
     ndv:      Force Installing Driver:
     ndv:           Inf Name       - oemvista.inf
     ndv:           Driver Date    - 04/15/2018
     ndv:           Driver Version - 9.0.0.22
     ndv:      Driver package 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf' is already imported.
     sto:      {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 23:59:13.594
     sto:           Driver package already imported as 'oem17.inf'.
     sto:      {Setup Import Driver Package - exit (0x00000000)} 23:59:13.605
     dvi:      Searching for hardware ID(s):
     dvi:           tap0901
     dvi:      Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:      {Plug and Play Service: Device Install for ROOT\NET\0000}
     dvi:           Driver INF Path: C:\Windows\INF\oem17.inf
     dvi:           Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.22:tap0901,
     dvi:           Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:           {Core Device Install} 23:59:13.682
     dvi:                {Install Device - ROOT\NET\0000} 23:59:13.683
     dvi:                     Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                     Parent device: HTREE\ROOT\0
     dvi:                     {Configure Device - ROOT\NET\0000} 23:59:13.686
     dvi:                          Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                          Parent device: HTREE\ROOT\0
     sto:                          {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf}
     sto:                               Source Filter  = tap0901
     inf:                               Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:                               Class Options  = Configurable
     inf:                               {Configure Driver: TAP-Windows Adapter V9}
     inf:                                    Section Name = tap0901.ndi
     inf:                                    {Add Service: tap0901}
     inf:                                         Start Type    = 3
     inf:                                         Service Type  = 1
     inf:                                         Error Control = 1
     inf:                                         Image Path    = \SystemRoot\System32\drivers\tap0901.sys
     inf:                                         Display Name  = TAP-Windows Adapter V9
     inf:                                         Group         = NDIS
     inf:                                         Updated service 'tap0901'.
     inf:                                    {Add Service: exit(0x00000000)}
     inf:                                    Hardware Id  = tap0901
     inf:                                    {Configure Driver Configuration: tap0901.ndi}
     inf:                                         Service Name  = tap0901
     inf:                                         Config Flags  = 0x00000000
     inf:                                    {Configure Driver Configuration: exit(0x00000000)}
     inf:                               {Configure Driver: exit(0x00000000)}
     flq:                               Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
     dvi:                               Existing files modified, may need to restart related services.
     sto:                          {Configure Driver Package: exit(0x00000bc3)}
     dvi:                          Restart required for any devices using this driver.
     dvi:                          Install Device: Configuring device (oem17.inf:tap0901,tap0901.ndi). 23:59:13.709
     dvi:                          Install Device: Configuring device completed. 23:59:13.712
     dvi:                          Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                          {Restarting Devices} 23:59:13.713
     dvi:                               Start: ROOT\NET\0000
!    dvi:                               Device pending start: Device has problem: 0x38 (CM_PROB_NEED_CLASS_CONFIG), problem status: 0x00000000.
     dvi:                          {Restarting Devices exit} 23:59:13.724
     dvi:                     {Configure Device - exit(0x00000000)} 23:59:13.725
     dvi:                     Device Status: 0x01802401, Problem: 0x38
     dvi:                {Install Device - exit(0x00000000)} 23:59:13.738
     dvi:           {Core Device Install - exit(0x00000000)} 23:59:13.738
     dvi:           Waiting for device post-install to complete. 23:59:13.739
     dvi:           Device post-install completed. 23:59:13.805
!    dvi:           Device post-install problem: 0x34 (0xC0000428)
     ump:      {Plug and Play Service: Device Install exit(00000000)}
     ndv: {Update Device Driver - exit(00000000)}
     ndv: {Install Related Drivers} 23:59:13.817
     ndv: {Install Related Drivers: exit(0x00000000)} 23:59:13.826
<<<  Section end 2018/05/24 23:59:13.836
<<<  [Exit status: SUCCESS]

None of this posted solutions survive several reboot, it might work at first but after some time you get the same error in Device Manager.

Here is the real last working one:
Tap-Driver 9.00.00.21.zip

@crkinard

This comment has been minimized.

crkinard commented May 24, 2018

Uh. The one currently on their site works perfectly fine.

@mattock

This comment has been minimized.

Member

mattock commented May 25, 2018

Tap-windows 9.22.1 does not work on recent Windows 10 that has secure boot on and is a fresh install based on revision 1607 or later. This has everything to do with signatures - Microsoft made signing requirements much more strict and we're setting up the infrastructure to build, sign and test 9.22.1 so that these Windows 10 systems can accept it.

@kappa7194

This comment has been minimized.

kappa7194 commented May 25, 2018

OS: Win 10 x64 (1803 April Update) Build 17134.81 Enterprise
Tap-Driver: I tried all of them including the 9.0.0.22, 2.21.2,...
None of this posted solutions survive several reboot, it might work at first but after some time you get the same error in Device Manager.

Yesterday I reinstalled my work laptop using Microsoft Windows 10 Enterprise (10.0.17134 Build 17134) and openvpn-install-2.4.6-I602.exe, which includes TAP-Windows 9.21.2, worked flawlessly.

Maybe you have something else on your computer that's interfering?

@kappa7194

This comment has been minimized.

kappa7194 commented May 25, 2018

OK, this is funny.

This afternoon the TAP interface disappeared. In Device Manger the interface was no longer available under Network adapters, however a mysterious "Unknown device" appeared under Other devices, bearing a description of "tap".

I uninstalled the unknown device, uninstalled TAP-Windows, and then reinstalled it using http://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe and lo and behold the device refused to start with the usual error:

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

Here's the install log:

>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
>>>  Section start 2018/05/25 16:23:12.828
      cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
     ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
     ndv: Install flags: 0x00000001
     ndv: {Update Device Driver - ROOT\NET\0000}
     ndv:      Search options: 0x00000080
     ndv:      Searching single INF 'C:\Program Files\TAP-Windows\driver\OemVista.inf'
     dvi:      {Build Driver List} 16:23:12.891
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     sig:           {_VERIFY_FILE_SIGNATURE} 16:23:12.953
     sig:                Key      = oemvista.inf
     sig:                FilePath = c:\program files\tap-windows\driver\oemvista.inf
     sig:                Catalog  = c:\program files\tap-windows\driver\tap0901.cat
!    sig:                Verifying file against specific (valid) catalog failed.
!    sig:                Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 16:23:13.078
     sig:           {_VERIFY_FILE_SIGNATURE} 16:23:13.078
     sig:                Key      = oemvista.inf
     sig:                FilePath = c:\program files\tap-windows\driver\oemvista.inf
     sig:                Catalog  = c:\program files\tap-windows\driver\tap0901.cat
     sig:                Success: File is signed in Authenticode(tm) catalog.
     sig:                Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
     sig:           {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 16:23:13.156
     dvi:           Created Driver Node:
     dvi:                HardwareID   - tap0901
     dvi:                InfName      - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                DevDesc      - TAP-Windows Adapter V9
     dvi:                Section      - tap0901.ndi
     dvi:                Rank         - 0x00ff0000
     dvi:                Signer Score - Authenticode
     dvi:                DrvDate      - 04/15/2018
     dvi:                Version      - 9.0.0.22
     dvi:      {Build Driver List - exit(0x00000000)} 16:23:13.203
     dvi:      {DIF_SELECTBESTCOMPATDRV} 16:23:13.219
     dvi:           Default installer: Enter 16:23:13.219
     dvi:                {Select Best Driver}
     dvi:                     Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:                     Selected Driver:
     dvi:                          Description - TAP-Windows Adapter V9
     dvi:                          InfFile     - c:\program files\tap-windows\driver\oemvista.inf
     dvi:                          Section     - tap0901.ndi
     dvi:                {Select Best Driver - exit(0x00000000)}
     dvi:           Default installer: Exit
     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 16:23:13.266
     ndv:      Force Installing Driver:
     ndv:           Inf Name       - oemvista.inf
     ndv:           Driver Date    - 04/15/2018
     ndv:           Driver Version - 9.0.0.22
     sto:      {Setup Import Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 16:23:13.297
     inf:           Provider: TAP-Windows Provider V9
     inf:           Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:           Driver Version: 04/15/2018,9.00.00.22
     inf:           Catalog File: tap0901.cat
     sto:           {Copy Driver Package: c:\program files\tap-windows\driver\oemvista.inf} 16:23:13.328
     sto:                Driver Package = c:\program files\tap-windows\driver\oemvista.inf
     sto:                Flags          = 0x00000007
     sto:                Destination    = C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}
     sto:                Copying driver package files to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}'.
     flq:                Copying 'c:\program files\tap-windows\driver\oemvista.inf' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf'.
     flq:                Copying 'c:\program files\tap-windows\driver\tap0901.cat' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.cat'.
     flq:                Copying 'c:\program files\tap-windows\driver\tap0901.sys' to 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.sys'.
     sto:           {Copy Driver Package: exit(0x00000000)} 16:23:13.391
     pol:           {Driver package policy check} 16:23:13.453
     pol:           {Driver package policy check - exit(0x00000000)} 16:23:13.453
     sto:           {Stage Driver Package: C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf} 16:23:13.453
     inf:                {Query Configurability: C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf} 16:23:13.469
     inf:                     Driver package 'oemvista.inf' is configurable.
     inf:                {Query Configurability: exit(0x00000000)} 16:23:13.485
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\oemvista.inf' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf'.
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.cat' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat'.
     flq:                Copying 'C:\Users\MYUSER\AppData\Local\Temp\{0e5559d5-4b7a-7748-8e85-04684c667720}\tap0901.sys' to 'C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.sys'.
     sto:                {DRIVERSTORE IMPORT VALIDATE} 16:23:13.500
     sig:                     {_VERIFY_FILE_SIGNATURE} 16:23:13.563
     sig:                          Key      = oemvista.inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat
!    sig:                          Verifying file against specific (valid) catalog failed.
!    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 16:23:13.625
     sig:                     {_VERIFY_FILE_SIGNATURE} 16:23:13.625
     sig:                          Key      = oemvista.inf
     sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\oemvista.inf
     sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}\tap0901.cat
     sig:                          Success: File is signed in Authenticode(tm) catalog.
     sig:                          Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted.
     sig:                     {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 16:23:13.750
!    sig:                     Driver package signer is unknown, but user trusts signer.
     sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x00000000)} 16:23:16.110
     sig:                Signer Score  = 0x0F000000
     sig:                Signer Name   = OpenVPN Technologies, Inc.
     sto:                {DRIVERSTORE IMPORT BEGIN} 16:23:16.110
     sto:                {DRIVERSTORE IMPORT BEGIN: exit(0x00000000)} 16:23:16.110
     cpy:                {Copy Directory: C:\Windows\System32\DriverStore\Temp\{39dce127-0574-8140-a706-a00f40a05b94}} 16:23:16.110
     cpy:                     Target Path = C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb
     cpy:                {Copy Directory: exit(0x00000000)} 16:23:16.110
     idb:                {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf} 16:23:16.125
     idb:                     Created driver package object 'oemvista.inf_amd64_98fc017a6cec15eb' in DRIVERS database node.
     idb:                     Created driver INF file object 'oem32.inf' in DRIVERS database node.
     idb:                     Registered driver package 'oemvista.inf_amd64_98fc017a6cec15eb' with 'oem32.inf'.
     idb:                {Register Driver Package: exit(0x00000000)} 16:23:16.125
     idb:                {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf} 16:23:16.125
     idb:                     Activating driver package 'oemvista.inf_amd64_98fc017a6cec15eb'.
     cpy:                     Published 'oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf' to 'oem32.inf'.
     idb:                     Indexed 3 device IDs for 'oemvista.inf_amd64_98fc017a6cec15eb'.
     sto:                     Flushed driver database node 'DRIVERS'. Time = 15 ms
     sto:                     Flushed driver database node 'SYSTEM'. Time = 0 ms
     idb:                {Publish Driver Package: exit(0x00000000)} 16:23:16.172
     sto:                {DRIVERSTORE IMPORT END} 16:23:16.172
     dvi:                     Flushed all driver package files to disk. Time = 15 ms
     sig:                     Installed catalog 'tap0901.cat' as 'oem32.cat'.
     sto:                {DRIVERSTORE IMPORT END: exit(0x00000000)} 16:23:16.313
     sto:           {Stage Driver Package: exit(0x00000000)} 16:23:16.313
     sto:      {Setup Import Driver Package - exit (0x00000000)} 16:23:16.328
     dvi:      Searching for hardware ID(s):
     dvi:           tap0901
     dvi:      Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:      {Plug and Play Service: Device Install for ROOT\NET\0000}
     dvi:           Driver INF Path: C:\Windows\INF\oem32.inf
     dvi:           Driver Node Name: oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.22:tap0901,
     dvi:           Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf
     dvi:           Searching for hardware ID(s):
     dvi:                tap0901
     dvi:           Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
     dvi:           {Core Device Install} 16:23:16.406
     dvi:                {Install Device - ROOT\NET\0000} 16:23:16.406
     dvi:                     Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                     Parent device: HTREE\ROOT\0
     dvi:                     {Configure Device - ROOT\NET\0000} 16:23:16.422
     dvi:                          Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                          Parent device: HTREE\ROOT\0
     sto:                          {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\oemvista.inf}
     sto:                               Source Filter  = tap0901
     inf:                               Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf:                               Class Options  = Configurable
     inf:                               {Configure Driver: TAP-Windows Adapter V9}
     inf:                                    Section Name = tap0901.ndi
     inf:                                    {Add Service: tap0901}
     inf:                                         Start Type    = 3
     inf:                                         Service Type  = 1
     inf:                                         Error Control = 1
     inf:                                         Image Path    = \SystemRoot\System32\drivers\tap0901.sys
     inf:                                         Display Name  = TAP-Windows Adapter V9
     inf:                                         Group         = NDIS
     inf:                                         Updated service 'tap0901'.
     inf:                                    {Add Service: exit(0x00000000)}
     inf:                                    Hardware Id  = tap0901
     inf:                                    {Configure Driver Configuration: tap0901.ndi}
     inf:                                         Service Name  = tap0901
     inf:                                         Config Flags  = 0x00000000
     inf:                                    {Configure Driver Configuration: exit(0x00000000)}
     inf:                               {Configure Driver: exit(0x00000000)}
     flq:                               Copying 'C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_98fc017a6cec15eb\tap0901.sys' to 'C:\Windows\System32\drivers\tap0901.sys'.
     dvi:                               Existing files modified, may need to restart related services.
     sto:                          {Configure Driver Package: exit(0x00000bc3)}
     dvi:                          Restart required for any devices using this driver.
     dvi:                          Install Device: Configuring device (oem32.inf:tap0901,tap0901.ndi). 16:23:16.500
     dvi:                          Install Device: Configuring device completed. 16:23:16.500
     dvi:                          Device Status: 0x01802001, Problem: 0x0 (0x00000000)
     dvi:                          {Restarting Devices} 16:23:16.500
     dvi:                               Start: ROOT\NET\0000
!    dvi:                               Device pending start: Device has problem: 0x38 (CM_PROB_NEED_CLASS_CONFIG), problem status: 0x00000000.
     dvi:                          {Restarting Devices exit} 16:23:16.531
     dvi:                     {Configure Device - exit(0x00000000)} 16:23:16.531
     dvi:                     Device Status: 0x01802401, Problem: 0x38
     dvi:                {Install Device - exit(0x00000000)} 16:23:16.547
     dvi:           {Core Device Install - exit(0x00000000)} 16:23:16.547
     dvi:           Waiting for device post-install to complete. 16:23:16.563
     dvi:           Device post-install completed. 16:23:16.735
!    dvi:           Device post-install problem: 0x34 (0xC0000428)
     ump:      {Plug and Play Service: Device Install exit(00000000)}
     ndv: {Update Device Driver - exit(00000000)}
     ndv: {Install Related Drivers} 16:23:16.766
     ndv: {Install Related Drivers: exit(0x00000000)} 16:23:16.781
<<<  Section end 2018/05/25 16:23:16.813
<<<  [Exit status: SUCCESS]
@CHEF-KOCH

This comment has been minimized.

CHEF-KOCH commented May 25, 2018

The driver doesn't work and disappear or will get the Error code (yellow triangle) no matter what @crkinard is telling here. I tested it and it's reproducible on all my 1803 machines.

I posted the only working driver already here. It has something to do with Windows Defenders new protection mechanism and Secure Boot/UEFI, even if you disable WD it still starts it's bootstrapper driver and after some reboots, you get Code 52 again.

I have some serious doubts if the developers can't even properly sign the driver how insecure the code is, last I've seen there wasn't any code audit or review. This is really shocking and one update in a year or so is not enough to keep up with MS changes.

@kappa7194

This comment has been minimized.

kappa7194 commented May 25, 2018

The driver doesn't work and disappear or will get the Error code (yellow triangle) no matter what @crkinard is telling here. I tested it and it's reproducible on all my 1803 machines.

I posted the only working driver already here. It has something to do with Windows Defenders new protection mechanism and Secure Boot/UEFI, even if you disable WD it still starts it's bootstrapper driver and after some reboots, you get Code 52 again.

I don't think it's that simple.

I tried a couple of things.

I uninstalled everything (devices, drivers, programs), rebooted, tried to install http://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe: driver error.

I uninstalled everything, rebooted, installed http://build.openvpn.net/downloads/releases/openvpn-install-2.4.6-I602.exe again (as I did yesterday): everything works and I'm able to connect.

image

In Windows Defender I have everything except Force randomization for images (mandatory ASLR) (since that screws up Git/Cygwin) enabled:

image

image

image

image

image

@CHEF-KOCH

This comment has been minimized.

CHEF-KOCH commented May 25, 2018

I agree it's not a simple solution as long it's wrong signed.

Regarding WD's own mechanism to check (and possibly verify drivers [it's not documented]). You can configure it or disable it but it still starts the driver unless you disable/remove it manually.

feg

@kappa7194

This comment has been minimized.

kappa7194 commented May 25, 2018

I agree it's not a simple solution as long it's wrong signed.

Regarding WD's own mechanism to check (and possibly verify drivers [it's not documented]). You can configure it or disable it but it still starts the driver unless you disable/remove it manually.

I was talking about the origin of the problem.

Your hypothesis is not holding, at least for me: Windows is loading the driver, the device is working, I'm able to establish a VPN connection. So it Works For Me™. At the moment.

The driver signature is either always valid or always invalid, it can't be valid for some people and not for others or work fine for hours/days and then suddenly stop working, unless there's something else at play. Is this caused by specific settings? Security suites? Aliens? I don't know.

@CHEF-KOCH

This comment has been minimized.

CHEF-KOCH commented May 25, 2018

Your assumption is incorrect, Windows by default stores a backup driver in it's Driver Store, if the driver is not correct it tries to use the old one if you scan for errors. In case you remove the driver it still keeps the old one unless you manually remove it or you use a PowerShell script to do this via pnputil.exe.

As shown here Hyper-V also can causes issue with the (current) installed driver. There bunch of other scenarios when this can be 'broken'. So sign the driver with SHA-1 is not enough you also need since Windows 8.1 TRCA. I think the major culprit is Portal.

On 2016-07-26, Microsoft announced that this rule will only be enforced on Windows 10 systems that were freshly installed at build 1607 or later, with Secure Boot on.

I already linked the article, but here we go again.

@cron2

This comment has been minimized.

Contributor

cron2 commented May 25, 2018

@cron2

This comment has been minimized.

Contributor

cron2 commented May 25, 2018

@selvanair

This comment has been minimized.

Collaborator

selvanair commented May 25, 2018

OK, this is funny.

This afternoon the TAP interface disappeared. In Device Manger the interface was no longer available under Network adapters, however a mysterious "Unknown device" appeared under Other devices, bearing a description of "tap".

I uninstalled the unknown device, uninstalled TAP-Windows, and then reinstalled it using http://build.openvpn.net/downloads/releases/tap-windows-9.22.1-I602.exe and lo and behold the device refused to start with the usual error:

There is nothing funny about this. If you read messages from @mattock in this thread you will notice that 9.22.1-I602.exe is known not to "work" on Windows 10. Please use the latest release of openvpn openvpn-install-2.4.6-I602.exe which includes TAP-Windows 9.21.2.

@mattock Can we unllink the offending tap-wnodws-9.22.1-I602.exe from the releases page?

@mattock

This comment has been minimized.

Member

mattock commented May 28, 2018

@selvanair tap-windows-9.22.1-I602.exe does not seem to be linked to from the download pages. I believe I removed the link when I released the most recent OpenVPN Windows installer. I could also remove tap-windows-9.22.1-I602.exe and openvpn-install-2.4.6-I601 (which includes it) from our download servers, but I think that might be an overkill.

@kappa7194

This comment has been minimized.

kappa7194 commented May 29, 2018

I used the build linked in #49 (comment), not noticing that later it has been deemed not working.

Using the correct build I can confirm that as of today it's still working on my Windows 10 Enterprise (10.0.17134 Build 17134) system.

@wget

This comment has been minimized.

wget commented Jun 29, 2018

Hello everyone. Someone on the OpenVPN chocolatey package I manage linked to me this issue. Any progress being made on this side? How should I fix it?

@mattock

This comment has been minimized.

Member

mattock commented Jul 2, 2018

@wget the only fix right now is to revert back to tap-windows-9.21.2. Releasing a new driver became way more complicated than we ever imagined. The reason is Windows Server 2016: it will refuse to load any drivers that are not signed by Microsoft. And Microsoft refuses to sign any drivers submissions for Windows Server 2016 which do not come with (positive) Windows Hardware Lab Kit test results. So I ended up having to build a HLK test cluster. The cluster is working, and the developers are looking into some of the test failures right now. Once all the tests pass we can submit an updated driver (9.22.2) to Microsoft for signing.

In the end we will have two different OpenVPN/tap-windows6 installers:

  • Windows Server 2016
  • Other Windows versions

I bet you can fairly easily combine these two into one in Chocolatey - we did not want to add the extra logic into our tap-windows6 NSI code, as we already have an untested MSI replacement for it. You can probably work around this issue in the Powershell install scripts of the Chocolatey package.

We chose to go with two installers due to MS signing policies: all other Windows versions should be happy with a driver that has a cross-signed signature (as in 9.21.2) and an attestation signature. Only Windows Server 2016 needs special treatment at the moment. Also, getting a signature that works across all Windows versions requires having three separate test environments (HLK, HCK, WLK) with a huge number of test nodes. So we would probably have to outsource the testing part if we ever wanted to take this route.

The release date for the new tap-windows6 release was set to "this week". But I strongly doubt that we will make it, given that we probably need to tweak our HLK test environment further and resolve the test failures.

If you're interested in this highly esoteric subject then the Attestation signing a kernel driver for public release document is a good start.

@wget

This comment has been minimized.

wget commented Jul 2, 2018

@mattock Ok I'll do a detection. Does the difference also impact previous Windows Server releases (2008, 2008R2, 2012, 2012R2). Does this impact future versions as well, like the new Windows Server 2009 Technical Preview (based on the 1803 Windows branch IIRC)?

Do you have a link to share to the old TAB driver release? Or should I extract it from the previous 2.4.4 installer release?

@TinCanTech

This comment has been minimized.

TinCanTech commented Jul 2, 2018

@mattock

This comment has been minimized.

Member

mattock commented Jul 3, 2018

@wget I think it is more like that Microsoft will tighten up the driver signing requirements rather than vice versa. Right now only Windows Server 2016 is affected, but I'm sure 2019 will be as well. They might very well add Windows 10 (desktop) to the mix, but this is pure speculation.

I actually started looking into outsourcing HLK pre-submissoin testing. We don't want to end up maintaining our own test lab in the office for something we have to build maybe once in two years in average.

@wget

This comment has been minimized.

wget commented Jul 10, 2018

@mattock Problem fixed. Here is how I fixed it on Chocolatey: https://github.com/wget/chocolatey-package-openvpn/blob/a2acebc444e0bc8b1d95cf5832e7b25f097ee09e/tools/chocolateyInstall.ps1#L90

Please note if you want to test, the package is still under moderation. Will be live within a few hours. Regards.

@ceemy

This comment has been minimized.

ceemy commented Sep 15, 2018

Found the solution for TAPS-Window install troubleshooting--This works: How to Disable Driver Signature Verification on 64-Bit Windows 8 or 10 (So That You Can Install Unsigned Drivers)
https://www.howtogeek.com/167723/how-to-disable-driver-signature-verification-on-64-bit-windows-8.1-so-that-you-can-install-unsigned-drivers/`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment