Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deal with expired MS driver signing certificate on Windows 7/8/8.1 class systems #751

Closed
fyodor opened this issue Sep 5, 2024 · 1 comment

Comments

@fyodor
Copy link
Member

fyodor commented Sep 5, 2024

Our previous EV codesigning certificate expired and our new one (which we'll use for the upcoming Npcap 1.80 release) does not chain to a Microsoft cross-certificate since they eliminated that program years ago. For newer versions of Windows, we use Microsoft's attestation signing program instead. But that's not supported for Windows 7, Windows 8, Windows 8.1, and Windows Server releases up to 2012R2. All of these are considered EOL by Microsoft now although MS is still offering expensive Extended Security Updates (ESU) for enterprise Windows Server 2012R2 users until October 13, 2026. Our options for these old systems would be to install:

  1. The latest driver, signed with a non-MS-chained cert. Will probably at least require user to click "trust this publisher" during installation, though it's possible it will just work on many systems and just fail on some others. On the first Win7 system we tested, the installation succeeded and then a popup says it needs a signed driver. Npcap subsequently didn't work.
  2. The Npcap 1.79 driver, signed with a MS-chained cert. Still may not work on every system since the DigiCert CA cert in that chain expired in 2021. It does work on recent tests with our Win7 test system that fails with the 1.80 release candidate.
  3. The Npcap 1.30 driver, a.k.a. /prior_driver=yes, which was signed prior to any of these expirations, so ought to work everywhere.

Our current plan for 1.80 and future releases is:

  • By default, install the 1.79 driver on these ancient systems since anything newer is unlikely to work (per our initial testing).
  • We will provide a command-line option for people to install the newest Npcap driver even on these ancient systems for testing, etc. Maybe it will still work in some cases, like if the user has disabled driver signing checks.
  • Users can still specify /prior_driver=yes so that Version 1.30 (should work in all cases) is installed on these old systems.

In all cases above, the latest Npcap will be installed on modern Windows systems (Win10, Win 11, ARM, etc.)

@dmiller-nmap
Copy link
Contributor

These changes were introduced in Npcap 1.80. The GUI options have corresponding CLI options:

  • /prior_driver=yes installs Npcap 1.30 driver
  • /latest_driver=yes attempts to install Npcap 1.80 driver (or the most recent driver in subsequent releases)
  • Default is to install Npcap 1.79 driver

None of these have any affect on Windows 10 or later. Both options will accept "yes", "no", "enforced", or "disabled" keywords

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants