New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not Digitally Signed driver #56

Closed
olizama opened this Issue May 31, 2018 · 31 comments

Comments

Projects
None yet
8 participants
@olizama
Copy link

olizama commented May 31, 2018

My dears,

Looks like you forgot to digitally sign the driver on version 7.2, it can't be installed normally without bypassing windows security.

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented May 31, 2018

Could you provide us the download link of HAXM v7.2.0? And describe the detailed information of the host machine, such as OS version, OS bits, Windows security software version, etc. Moreover, you may attach your IntelHaxm.sys and perhaps the installer package here if convenient. Thanks.

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

Sure no problem,

Download Link: https://github.com/intel/haxm/releases/download/v7.2.0/haxm-windows_v7_2_0.zip

Machine Details: Windows 7 Ultimate SP1 x64

Not sure what you mean with Windows Security software verison

HAXM 7.2 is not working because it doesn't pass the Driver Signature Enforcement
captura

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

My workaround to this issue was simple to go back to HAXM v7.1 because it's digitally signed, in case anyone else have the issue, while you figure it out.

Regards,

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

OK I had to reproduce the issue again, here is the information requested.

My IntelHaxm.sys and the installer package downloaded,

IntelHaxm.zip
haxm-windows_v7_2_0.zip

Hope this helps,

Regards,

image

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented May 31, 2018

Could you please attach the error screenshot when blocking installation? And since HAXM v7.2.0 cannot finish to install, how did you extract IntelHaxm.sys driver? Thanks.

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

Sorry my friend, I went back to HAXM v7.1 because i'm working right now on Android Studio,

On HAXM v7.2 if you run the silent_install.bat, it will show no error, the files get copied to the system that's how I managed to get the IntelHaxm.sys, but Windows shows a message saying that an installation tried to install a driver that was not digitally signed and it will not run.

If you run the HAXM Installer (intelhaxm-android), it will show an error then the Finish button, there I'm not sure if the files get copied to the system.

This error will happen to any computer having Windows 7,8 or 10, if you don't have a Windows OS close to you right now I could try again to show you those messsages.

BTW if you noted my Windows OS is in Spanish so I'm not sure if you will understand the error anyway, just let me know if you still need them.

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented May 31, 2018

Could you help to provide the Windows build version of Windows 7? Just run below command,
C:> ver
Microsoft Windows [Version 6.1.7601] (For my computer)

Could you also help to check the signature certification chains for IntelHaxm.sys of HAXM v7.2.0?
Right click on IntelHaxm.sys -> Properties -> Digital Signatures -> Select the signature list -> Details -> General -> View Certificate -> Certification Path
Then click each certification path and find out which one is not OK.

The following screenshots are certification path of HAXM v7.1.0 and v7.2.0 from my Windows 7 computer.

haxm_v7_1

Figure 1. HAXM v7.1.0

haxm_v7_2

Figure 2. HAXM v7.2.0

By the way, after our checking, all of certification paths from both drivers are shown as OK from our computers, including Windows 7, 8 and 10.

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

Windows Version:
image

Reproducing the Error Again

1 - Uninstall HAXVM v7.1 from Control Panel - Remove a Program - Done
2 - Check if still exist IntelHAXM.sys - Checked Doesn't Exist
3 - Run the Installer intelhaxm-android.exe with Admin Privileges
image

4 - Error from the Installer is shown

image

5 - Few seconds later Error from windows is shown as well. Saying that windows requires a digitally signed driver.

image

6 - Finish the Installation

image

7 - Check Again if IntelHAXM.sys exist. - Checked and the file exist located in System32\drivers folder

image

8 - Verifiy the Certificates - Certificate looks valid.

image

9 - Check the status of Intel HAXM

image

10 Try to start it manually - Error says that windows cannot verify the digital signature from this file, a recent change in hardware or software could have installed a file with a signature broken or incorrect, or could be as well a malware from a unknown source.

image

I will keep version 7.2 for a while just in case you still need more info,

Regards,

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented May 31, 2018

Thanks for your detailed information. We compared the certificate chains and found there were some differences between us. There are 4 levels in ours and 3 levels in yours. We will investigate this issue in the next week. You can change to HAXM v7.1.0 to continue using. Sorry for bring you trouble. Thanks a lot.

@olizama

This comment has been minimized.

Copy link

olizama commented May 31, 2018

As far as I was reading about certificates this issue could be reported in computers with Windows OS 7,8 and 10 with Architecture of 64 bits,

I just noticed the issue after updating HAXM from Android Studio, I would like to think it's just me who has the issue but I found another user that updated Haxm as well and had the same problem.

https://stackoverflow.com/questions/50615096/intel-haxm-version-7-2-not-digitally-signed

I appreciate your time and efforts, now I will go back to HAXM v7.1

Best Regards,

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 4, 2018

We now have another report of the same issue from @minimop (#57). @minimop Are you also on Windows 7? Please provide the following information about your Windows system:

  1. Version (check output of ver from a command prompt window)
  2. Edition (Home/Professional/Ultimate/Enterprise)
  3. Architecture (32-bit or 64-bit)

If you could also check the certification path for intelhaxm.sys and take a screenshot (see @olizama 's post above), that would be even more helpful.

Thanks.

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 4, 2018

TLDR: I believe this issue only affects 64-bit Windows 7 systems that lack this security update, which enables support for drivers signed with a SHA-256 (SHA-2) certificate.

For the HAXM 7.2.0 release, we changed the certificate that we use to sign the Windows 7/8/8.1 driver (IntelHaxm.sys). Previously (for HAXM 7.1.0 and earlier), we used a SHA-1 certificate for these Windows versions. However, we were advised that SHA-1 algorithm is now considered insecure, and that we should replace it with SHA-256 (a variant of SHA-2). So we did that, and tested the new driver against our own Windows 7/8/8.1 systems without noticing any issue.

However, apparently the new driver signature is not recognized by some Windows systems. According to this article, Windows 7 actually requires a patch to enable SHA-256 support, whereas Windows 8 and later supports it by default. @olizama Could you install that patch and see if it fixes the issue for you?

@raphaelning raphaelning added the windows label Jun 4, 2018

@olizama

This comment has been minimized.

Copy link

olizama commented Jun 4, 2018

You must be right @raphaelning, it's an old bad habit that I have to disabled Windows Updates, got tired of getting my computer broken because of those.

Let me install the patch, then install HAXM v7.2

@olizama

This comment has been minimized.

Copy link

olizama commented Jun 4, 2018

OK my friends, sorry for the issue report, it was as you said a windows update missing, patched the computer and installed HAXM v7.2 without issues, working like a charm.

Big thanks for your hard work.

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 5, 2018

Cool! So we'll continue to sign the Windows 7 driver with the SHA-256 certificate for future HAXM releases.

Closing this issue now.

@raphaelning raphaelning closed this Jun 5, 2018

@F0RIS

This comment has been minimized.

Copy link

F0RIS commented Jun 13, 2018

I'm having exactly same issue and can't install KB3033929. Having this - "The update is not applicable to your computer". I don't know how many people would get in same situation, but it's sad. Digging in why it can't be installed isn't the best pastime.

@drmuaz

This comment has been minimized.

Copy link

drmuaz commented Jun 23, 2018

@F0RIS I had the same issue. Try uninstalling 7.2 and simply unzip and install 7.1.

@F0RIS

This comment has been minimized.

Copy link

F0RIS commented Jun 24, 2018

@drmuaz I did that. But with that approach I will not able to use newer versions :/

@raphaelning raphaelning reopened this Jun 25, 2018

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 25, 2018

@F0RIS @drmuaz Sorry for the delay, I just reopened this issue. Are you also on Windows 7? Could you provide details about your Windows system:

  1. Version (check output of ver from a command prompt window)
  2. Edition (Home/Professional/Ultimate/Enterprise)
  3. Architecture (32-bit or 64-bit)
@F0RIS

This comment has been minimized.

Copy link

F0RIS commented Jun 25, 2018

@raphaelning
Microsoft Windows [Version 6.1.7601]
Win 7 Professional SP1
x64
My issue is same as @olizama had. But I just can't install needed update (KB3033929) for SHA-256 certificats. Thats it.

@drmuaz

This comment has been minimized.

Copy link

drmuaz commented Jun 25, 2018

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 26, 2018

@drmuaz Apparently you haven't installed Service Pack 1 yet, which is required by the patch:

Supported Operating System
Windows 7 Service Pack 1

@F0RIS I guess you probably have a dual OS setup (Windows + Linux) where the default boot loader is not the Windows boot loader. According to KB3033929:

Known issues with this security update

Issue 1

Some users cannot install this security update if their computers meet the following conditions:

  • Have a multiple-boot configuration of Windows and various distributions of Linux
  • Use a non-Windows boot loader
  • Have Windows and Linux installed on separate drives

If that's indeed the case, there will be no easy way for you to install the patch. We'll need to reconsider our driver signing policy for Windows 7--for example, should we just go back to SHA-1 for the Windows 7 driver, but keep using SHA-256 for the Windows 8/8.1 driver? Or is there a better option?

@F0RIS

This comment has been minimized.

Copy link

F0RIS commented Jun 27, 2018

@raphaelning
I definitely have SP1
image

And yes. I have dual OS setup. And of course my default boot loader is grub, because Windows' loader can't load linux. So yeah, may be you should switch back to SHA-1 for Windows 7.
About better options - I don't know what to suggest

@olizama

This comment has been minimized.

Copy link

olizama commented Jun 27, 2018

People will able to install the patch if they have windows 8, 8.1, 10 and Linux? With grub? Or those OS already have support for sha-256?

Edit


Looks like that windows patch has a lot of issues, and anyone having dual boot with grub loading windows will be unable to install it.

A way around it could be fix the windows MBR to make windows load by default then install the patch and once done, reinstall grub. I could take a hour or so.

But since Microsoft released that patch they didn't fixed the dual booting issue looks like they don't care.

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Jun 28, 2018

Or those OS already have support for sha-256?

Right, SHA-256 is natively supported by Windows 8 and later.

may be you should switch back to SHA-1 for Windows 7.

Thanks, we're seriously considering this option, but we need to find out if that's allowed by Intel policy first.

@wlmsnmail

This comment has been minimized.

Copy link

wlmsnmail commented Aug 3, 2018

I followed the solution from Foris. Go to google search KB3033929, then download it, install it. Then reinstall HAXVM v7.2.0. Then run android studio, everything running flawlessly. Thannnnnnnnnnnnnnnnnnk you very much! I use Windows 7 pro sp1 64bit

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented Aug 14, 2018

@olizama @F0RIS @drmuaz HAXM v7.3.0 has been released for Windows. Could you try to install the latest release to see whether it works on your machine? Thanks.

@murtadaalwaely

This comment has been minimized.

Copy link

murtadaalwaely commented Aug 27, 2018

I was have same issue but now i have installed v3 and now its working ok

thanks

@wcwang

This comment has been minimized.

Copy link
Contributor

wcwang commented Aug 27, 2018

Thanks for @murtadaalwaely confirmation.

@wcwang wcwang closed this Aug 27, 2018

@cgutman

This comment has been minimized.

Copy link

cgutman commented Aug 31, 2018

For what it's worth, you can use signtool to sign the driver with a SHA1 signature then use the /as option to append a SHA256 signature on top of the SHA1. This signing method will be trusted even without the SHA256 patch on Win7 and still have the benefit of SHA256's stronger security on systems (including Win7) that have support for it.

There's a nice guide on the steps required on DigiCert's support portal (though the CA-specific steps will obviously vary): https://www.digicert.com/code-signing/code-signing-dual-signing-sha256-sha1.htm

@raphaelning

This comment has been minimized.

Copy link
Contributor

raphaelning commented Sep 4, 2018

Thanks, that's a brilliant idea! We'll give it a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment