Driver in Windows is signed by a different cert from the app, may cause extra warnings

[hj-collab]

Following up on https://github.com/zerotier/ZeroTierOne/issues/851

Please take a look. Thank you!

[glimberg]

As noted on the other issue, the windows driver has been signed using an EV cert for years now.

[hj-collab]

@glimberg On further investigation of this issue the problem is ZeroTier directly stores the driver into system. Instead It has to install itself in the driver store and have windows copy it to the system from the driver store. Tailscale/WireGuard follow all modern driver implementation and therefore it's not blocked by WDAC.

[someara]

Hi @hj-collab. Thanks for investigating this. I'll try and get this fixed up within the next couple patch releases. -s

[adamierymenko]

Reopened because we are investigating this. Will need to figure out exactly how to reproduce first because this doesn't happen on clean Windows installs. It must require some kind of setting, policy, or extra software.

[someara]

I'm gonna work on reproducing this so we can write a test for it

[glimberg]

Posting this link here for reference on WDAC

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview

Allows you to whitelist things by code signature.

Current issues:

1. Code sig is different between Driver & App bundle
2. WDAC reportedly has issues with ZeroTier's current method of driver installing & loading

[hj-collab]

We use the following rule in our WDAC policy. It's self explanatory.

[hj-collab]

I think before testing anything else it should be make sure if the driver is compliant with the below practices. https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/getting-started-with-windows-drivers

[hj-collab]

Hello. Is there any update on the issue?

[hj-collab]

Was any further investigation done on this issue? @glimberg

[hj-collab]

@glimberg Any update on this? It's saddening to see no resolution on it yet and no communication too. I am glad that we decided to use Tailscale instead of ZeroTier.

[someara]

Hello!

We have a fix in the works. Thank you for your patience

On Wed, Oct 5, 2022 at 9:38 AM hj-collab @.***> wrote:

@glimberg https://github.com/glimberg Any update on this? It's saddening to see no resolution on it yet and no communication too. I am glad that we decided to use Tailscale instead of ZeroTier.

— Reply to this email directly, view it on GitHub https://github.com/zerotier/ZeroTierOne/issues/1601#issuecomment-1268064586, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAQ3TCBNXFHBWUY5GZQOUTWBUV6TANCNFSM5RKMGIGQ . You are receiving this because you commented.Message ID: @.***>

[hj-collab]

@someara Any update?

[someara]

Unfortunately not yet. Sorry for the delay. Paging @rcoder

[adamierymenko]

We're doing some driver re-signing and will revisit this.

[adamierymenko]

This issue really is a hairball of multiple issues. One is that we should revisit how we are installing the driver, which I'm looking into. The second is that the way MS does attestation signatures is weird. Sometimes you end up with a driver containing only the Microsoft signature and nothing else, meaning it will be signed by a different authority (Microsoft) than the package. I checked some other apps like Parallels and found the same thing, so this is not unique to ZeroTier.

[conioh]

@glimberg On further investigation of this issue the problem is ZeroTier directly stores the driver into system. Instead It has to install itself in the driver store and have windows copy it to the system from the driver store. Tailscale/WireGuard follow all modern driver implementation and therefore it's not blocked by WDAC.

Can you point at any documentation about these issues? I haven't heard that WDAC requires drivers to load from this rather than that directory.

Could you also provide instructions for a minimal reproduction, including the source XML policy file?

[hj-collab]

@adamierymenko I think signed by a different authority is not an issue. Let me know when you guys are done resigning. I'll give it a test. Will help to confirm if the issue exist with latest version of everything or not.

@conioh Please use WDAC Wizard app to generate a policy. Use Allow Microsoft Mode in base template. Do tick Require WHQL on next page. Then whitelist ZeroTier certificate by selecting the main zerotier binary or installer. Also whitelist the cert of the driver. C:\WINDOWS\system32\drivers\zttap300.sys

Please let us know how it goes. Thanks!

[adamierymenko]

1.12 has removed a vestigial certificate ( #2048 ) but I am not sure if this has anything to do with this issue. Re-testing 1.12 on clean Windows installs for x86, x64, and arm64.