New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows requires a digitally signed driver #187
Comments
Did you update you windows 7 ? |
Yes, Thanks this is what I am talking about. There should be two signature but since your system is not updated it only see the SHA1 that is Microsoft deprecated....since 2016. |
Okay well I've disabled verification using |
Is Service Pack 1 installed for that Windows 7? The setup should fail if it isn't but let's verify anyway. SHA2 for Windows 7 might need this Windows update: |
No idea if SP1 is installed ... like I said I can't install any updates because updates are managed by my sysadmin. |
You could post the setup log files, in your %TEMP% there should be Dokan* text files. |
I question myself about the dokan signature process.... I am wondering if we need a SHA1 cert to sign SHA1 and cert SHA2 to sign SHA2. Our sign script: |
DIFXAPP: ERROR: Unable to start service 'dokan' because of error 0x241 qaisjp: I think you should try to use the fixed driver package mentioned in issue 179: https://drive.google.com/folderview?id=0B3E9tU82h-RMMmh3RkJFamM4WTA&usp=sharing |
"I am wondering if we need a SHA1 cert to sign SHA1 and cert SHA2 to sign SHA2." I don't think so. The only potential issue I would suspect is with non-updated Win 7 if you use a SHA2 cert for anything. |
The fixed drivers aren't working either. New set of logs: https://www.dropbox.com/sh/0cvw913y3kloans/AABNdN4Kf7HnKqjq1myC9GMQa?dl=0 |
Okay well I've reverted back to 0.7.3 (and an old version of winssh-fs)... the bug still probably exists for people in the same situation as me though. |
0.7.x will work because there was sign SHA1 before 2016. This is a Microsoft limitations, I don't think we can do much with it sorry. |
You could perhaps create a test driver setup signed with your old SHA1-cert to verify that is the reason here. |
qaisjp, you don't have any chance of installing https://support.microsoft.com/en-us/kb/3033929 on your machine? |
Some useful info on certificate issues can be found here: |
Installing the Security Update for Windows 7 (KB3033929) helped me: |
Liryna, I think on WIn7 we should install KB3033929 as well with the bundle like we do it with the UCRT KB update. |
It seems that we will need to do it yes. it is really strange that even without this patch it cannot validate the SHA1.... |
Liryna, I've implemented KB3033929 installation with the bundle but that's not a final or elegant solution. The update requires a restart before it becomes active: Applied execute package: Win71_KB3033929_x64, result: 0x0, restart: Required Because that restart is not scheduled by WiX Burn before the Dokan driver is installed, users will still see the unsigned driver warning. After restart the driver though is installed correctly because the KB3033929-updated DLLs will then allow SHA256-signed drivers. Adding the KB3033929 msu files also increases the size of DokanSetup_redist.exe to 110 MB. Scheduling the restart before Dokan driver installation is only possible with a custom bootstrapper. As an alternative I'd rather implement a check for install status of KB3033929 and show an error in case it isn't already installed (only relevant for WIn 7). |
@js69 Thank you for the test ! |
KB3033929 is needed to support SHA2-signatures on Windows 7 / 2008 R2. MSI installation now fails if it is not installed. Closes dokan-dev#187 and dokan-dev#244.
Due to some oddity, we need to specify a version that is one version lower than the one we are actually searching for. References: dokan-dev#260, dokan-dev#244, dokan-dev#187 Quoting WiX-documentation: Important: When doing a locale-neutral search for a file, you must set the MinVersion property to one revision number lower than the actual version you want to search for.
when installing "DokanSetup_redist.exe" in v1.0.0-RC1
I'm on Windows Enterprise 7
The text was updated successfully, but these errors were encountered: