WireGuard makes new Windows release following Microsoft signing resolution (lists.zx2c4.com)
235 points by zx2c4 3 hours ago
zx2c4 3 hours ago
As I mentioned in the mailing list post, the Microsoft paperwork shuffling matter got dealt with rather quickly, following all the attention the HN thread from the other day got. And now we're finally out with an update!
NT programming is a lot of fun, though this release was quite challenging, because of all of the toolchain updates. On the plus side, we got to remove pre-Win10 support -- https://lists.zx2c4.com/pipermail/wireguard/2026-March/00954... . But did you know that Microsoft removed support for compiling x86 drivers in their latest driver SDK? So that was interesting to work around. There was also a fun change to the Go runtime included in this release: https://github.com/golang/go/commit/341b5e2c0261cc059b157f1c...
All and all, a fun release, and I'm happy to have the Windows release train cooking again.
sammy2255 3 hours ago
Good to know everything was resolved, but did you ever find out why your signing account was suspended? That's not something you brush off as haha silly Microsoft..
Xunjin 3 hours ago
They should definitely put up a statement addressing it. Moreover what they plan in the future to avoid such traumatic event, this is not a “simple sign program”, this touches fundamental parts of the OS.
SturgeonsLaw an hour ago
Microsoft are saying it's because those accounts didn't undergo verification for the Windows Hardware Program
https://www.theregister.com/2026/04/09/microsoft_dev_account...
Leherenn 3 hours ago
Apparently it's quite widespread, so I would assume a bug on their side. That's what support seemed to imply at least. We're still blocked at my company for one month+ now.
PeterStuer 2 hours ago
BLKNSLVR 3 hours ago
Off topic: Thanks for wireguard. It is a truly great piece of software.
EvanAnderson 37 minutes ago
I really appreciate what you wrote in that post re: dropping support for pre-Windows 10 operating systems.
e12e an hour ago
Somewhat on the side - but is there a wireguard that works well for ReactOS? Does the windows version just work fine?
Just curious how/if the version support might work out for ReactOS.
zx2c4 30 minutes ago
Good question! I've never tried. The NT driver makes use of some of the more advanced features of the networking stack, so possibly not. But you never know. I'd love a Wg4React.
politelemon 25 minutes ago
Your work is always appreciated.
unquietwiki 2 hours ago
Hey there, thank you for pushing this out. I saw there's a 0.6.1 update now, that also reboots the machine after updating. I don't remember if it said it'd do said reboot...
c0l0 3 hours ago
As a wireguard user myself (even on the lone Windows machine that I still begrundingly have), I am happy that this problem could have been resolved. I am just wondering - if there had not been this kind of public outcry and outrage that Mr. Donenfeld discounts in his announcement message, would the issue have been fixed by now?
What are individual developers of "lesser" (less important, less visible, less used) software with a Windows presence to do? Wait and pray for Goliath to make the first benevolent move, like all the folks who got locked out forever from their Google accounts on a whim? Ha!
The fact of the matter is, the code signing requirements on Windows are a serious threat to Free and Open Source Software on the platform. Code signing requirements are a threat to FOSS on all platforms that support this technique, and infinitely more so where it's effectively mandatory. I firmly believe that these days, THIS is the preferred angle/vector for Microsoft to kill the software variety their C-levels once publicly bad-mouthed as "cancer", and zx2c4 is one of the poor frogs being slowly boiled alive. Just not this time - yet.
sillysaurusx an hour ago
They would be ignored. Having an audience is key to getting problems solved, whether it’s a lone hacker or a large corporation. Without an audience, you have no leverage. At that point you might as well create a new Windows account and re-apply, since that would have more luck than getting around a “we’ve closed your account and there’s no appeal process” barrier.
If that sounds Kafkaesque, it is. It’s a small miracle that getting a post to the top of HN can surmount such bureaucracy at all.
The best way to get an audience is to tell a compelling story. Make it interesting. There are ways of doing that for even the least known developers.
My point is to push back against the idea that it should be fair to everyone and that what’s morally right should prevail in every case. The hardware developer program doesn’t exist to treat every developer fairly. They exist to make money for Microsoft. pg puts it more eloquently here: https://paulgraham.com/judgement.html
NetMageSCW 19 minutes ago
While this is a small problem for software (and hardware) that needs custom kernel drivers, or software that needs to run as administrator, you seem to have jumped a long way past that to rant about FOSS on Windows with no justification- general unsigned software works just fine on Windows as it always has.
x0x0 3 hours ago
I got a modestly-similar situation resolved by buying a support package and spending 4+ hours across ... not sure, but probably 4-5 support calls? It's been 5 years. If memory serves it was the $200/mo support package for Azure.
In retrospect, I should have not spent 3 weeks trying to get their incompetent software to work and just gone straight to phone calls. And at least in my case, the support agents seemed broadly unfamiliar, but seemed to have access to higher-priority internal case submission which did finally get to someone who could fix my issue.
looneysquash 43 minutes ago
But what would have happened if they weren't able to get Microsoft's attention through an outside channel (this site) and had to go through the normal process?
I'm glad it was resolved quickly for WireGuard, but I'm concerned the results won't generalize.
Also, thanks for WireGuard!
maltris 3 hours ago
LibreOffice, VeraCrypt, WireGuard. 2 questions:
Whats next?
Is that a pattern?
Lihh27 2 hours ago
yeah three projects, one account lock, everyone's users stop getting updates. that's the pattern
ChocolateGod 3 hours ago
What has LibreOffice got to do with any of this?
quantum_magpie 2 hours ago
MS has a history of fucking up LibreOffice installs.
https://wiki.documentfoundation.org/Faq/General/General_Inst...
elAhmo an hour ago
Terr_ 2 hours ago
Perhaps this from last year, though it doesn't directly involve code-signing: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...
IvyMike 2 hours ago
Maybe this from 8 months ago?
manbash 3 hours ago
Happy to see it resolved and I hope the other developers are able to have the same experience.
By the way, was it only for the Windows application, or was wireguard-go was also affected?
zx2c4 3 hours ago
This was just for WireGuardNT, the kernel driver for the NT kernel that Windows uses.
This project -- https://git.zx2c4.com/wireguard-nt/about/ -- is used by this app -- https://git.zx2c4.com/wireguard-windows/about/ . The former is what the signing situation was about. The latter is just signed using a normal boring (but very expensive!) EV code signing certificate from one of the CAs.
Aurornis 26 minutes ago
There was a lot of speculation about this issue because readers assumed that WireGuard's was the only account that got locked. There was actually a wave of account locks that happened at the same time. If you only saw one of the headlines you might assume it was targeted or the result of some directed conspiracy, not the result of a widespread process.
Microsoft did a (very!) bad job of communicating what was happening, but The Register has more information:
> He explained that both deactivations were executed as part of the Windows Hardware Program's account verification procedures.
> The company published a blog in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications.
> "We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri.
john_strinlai 3 hours ago
>The comments that followed were a bit off the rails. There's no conspiracy here from Microsoft. But the Internet discussion wound up catching the attention of Microsoft, and a day later, the account was unblocked, and all was well. I think this is just a case of bureaucratic processes getting a bit out of hand, which Microsoft was able to easily remedy. I don't think there's been any malice or conspiracy or anything weird.
it was a bit crazy how quickly people got conspiracy-minded about it.
microsoft fucked up, and as per typical big-tech, only fixed it when noise got made on social media. but not everything is a grand conspiracy orchestrated by microsoft or the government or whatever. incompetence is always more likely than malice.
any news from the veracrypt maintainers? i would imagine whatever microsoft employee got tasked with resolving this issue would have also seen that one.
---
edit: well, i certainly underestimated the response to this comment. my mistake for using a common saying rather than being extremely explicit when it comes to something as emotionally charged as microsoft. i dont think i have seen a comment of mine go up and down points so many times before.
what i intended to get across was: "this was not a deliberate, coordinated, purposeful attack on the wireguard project, at the behest of some microsoft executive, to accomplish some goal of making encrypted communication impossible or whatever. instead, this was the result of a stupid system, with a stupid resolution process (social media), that is still awful, but different in important ways from a deliberate attack. this is the typical scenario (stupid system, stupid resolution). the non-typical scenario would be a deliberate choice made and executed by microsoft employees to suddenly destroy a popular project".
i shortened the above paragraph to the common saying "incompetence is always more likely than malice". i shouldnt have. my bad.
anonymous908213 3 hours ago
> incompetence is always more likely than malice.
"Incompetence" of this degree is malice. It is actively malicious to create a system that automatically locks people out of their accounts with absolutely no possibility for human review or recourse short of getting traction in the media. "No sir, I didn't grind those orphans up. It was this orphan grinding machine I made that did it, teehee!"
john_strinlai 3 hours ago
i am positive that you understand the spirit of what that saying means.
incompetence is always more likely than [intentional, directed] malice.
microsoft employees did not deliberately attack the wireguard project with a goal of taking it down for whatever grand scheme people's hatred cooks up. if you have evidence that microsoft did this deliberately to ruin the wireguard project, please forward it along to jason (the wireguard maintainer) and several news outlets.
tialaramex 3 hours ago
bronson 3 hours ago
wtallis 3 hours ago
acedTrex 3 hours ago
izacus 8 minutes ago
r14c 3 hours ago
trinsic2 3 hours ago
With the way things are going right now with all the corruption in governments and corporations were way past the point of giving the benefit of the doubt. These organizations are clearly making changes to their OS's to slowly remove user control.
Everything should be treat as suspicious moving forward and I am glad of the skepticism.
sscaryterry 3 hours ago
The question is, did they notify the user that the account was blocked, or was it done silently? My money is on the latter, obviously I don’t know, just my guess. Was there a reason? Blocked is semantically harsher, than it has been disabled.
billziss 2 hours ago
Scaled 2 hours ago
Society is a bit fatigued of big tech companies making their various accounts essential and then locking people out of them without any due process.
john_strinlai 2 hours ago
yes, i am in agreement. i tried to be extremely clear in my edit that i think that the whole social media being the only way to get an account back is crazy stupid.
orbital-decay 2 hours ago
All this doesn't matter. What matters is the destructive potential and a breach of trust. CAs have been distrusted for less.
john_strinlai 2 hours ago
>CAs have been distrusted for less.
root programs are super specific about root cause analysis, what actions lead up to distrust, differentiating deliberate maliciousness from systemic incompetence, etc.
its like the exact opposite of "all this doesnt matter".
of course they still look at the outcome (danger to users, etc.), typically as a first step. but they take great care to determine exactly what lead up to a specific outcome.
orbital-decay an hour ago
dec0dedab0de 2 hours ago
Microsoft lost the benefit of the doubt decades ago.
TiredOfLife 2 hours ago
> it was a bit crazy how quickly people got conspiracy-minded about it.
That's just the side effect of the Soross tracking chips hidden in vaccines activated by 5g towers
BLKNSLVR 3 hours ago
Conspiracy 1: rules from on-high about encryption projects to be suppressed. Debunked.
Conspiracy 2: Copilot all the things! Probably not too far off.
john_strinlai 3 hours ago
i think they have explicitly made it clear that they want to copilot all of the things (unfortunately), so i dont quite file it under the conspiracy label.
wongarsu 2 hours ago
IshKebab 2 hours ago
I don't think you can let them off that easily, given that the only effective support channel was "get to the front page of hacker news", which isn't usually an option.
shevy-java 17 minutes ago
What's going on at Microsoft? Why did they suddenly declare war on VPN and related software projects?