Open jborean93 opened 2 years ago
Hi @jborean93 ,
If you are looking for immediate workaround, you can enable test signing on the VM. Run with administrator rights:
bcdedit /set testsigning on
and reboot
Thanks for the workaround, I'm attempting to see if I can just resign them myself with my own certificate. Currently working through New-FileCatalog
and generating my cert, will let you know how I go.
Just noticed that viostor
for 2k12
and 2k12R2
are also affected by this same problem. Unfortunately that's even more difficult to deal with as these are needed to install windows on a virtio backed hdd.
What's funny, is that qemufwcfg
, qemupciserial
, and smbus
are completely unchanged in actual substance between 0.1.215-2 and 0.1.217-1. Yet in the latter version, the same exact driver files (literally just .inf
s for these) are now self-signed, rather than signed with a valid certificate.
(pvpanic
maybe has somewhat of an actual excuse, since I think the driver file was actually changed in some actual manner between 0.1.215-2 and 0.1.217-1.)
It's a bit silly to release a new version and have several drivers go from valid-signature status to self-signed status when nothing in those drivers actually changed.
Oh and because of the self-signed-ness, the installer gets pissed off and refuses to complete the installation. (I don't have test signing turned on; presumably if I did, the installation would succeed.) MSI log excerpt:
[...]
DIFXAPP: ENTER: InstallDriverPackages()
DIFXAPP: INFO: 'CustomActionData' property 'DIFxApp Version' is '2.1'.
DIFXAPP: INFO: 'CustomActionData' property 'UI Level' is '5'.
DIFXAPP: INFO: 'CustomActionData' property 'componentId' is '{544B33DA-A7E0-44D2-9DB0-CACA3B842DA3}'.
DIFXAPP: INFO: 'CustomActionData' property 'componentPath' is 'C:\Program Files\Virtio-Win\Pvpanic\'.
DIFXAPP: INFO: 'CustomActionData' property 'flags' is 0x6.
DIFXAPP: INFO: 'CustomActionData' property 'installState' is '2'.
DIFXAPP: INFO: 'CustomActionData' property 'ProductName' is 'Virtio-win-driver-installer'.
DIFXAPP: INFO: 'CustomActionData' property 'ManufacturerName' is 'Red Hat, Inc.'.
DIFXAPP: INFO: user SID of user performing the install is 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001'.
DIFXAPP: INFO: opening HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{544B33DA-A7E0-44D2-9DB0-CACA3B842DA3} (User's SID: 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1001') ...
DIFXAPP: INFO: ENTER: DriverPackageInstallW
DIFXAPP: INFO: RETURN: DriverPackageInstallW (0xE0000247)
DIFXAPP: ERROR: encountered while installing driver package 'C:\Program Files\Virtio-Win\Pvpanic\pvpanic.inf'
DIFXAPP: ERROR: InstallDriverPackages failed with error 0xE0000247
DIFXAPP: RETURN: InstallDriverPackages() 3758096967 (0xE0000247)
CustomAction MsiInstallDrivers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 21:28:23: InstallFinalize. Return value 3.
MSI (s) (D8:F0) [21:28:23:902]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (D8:F0) [21:28:23:902]: User policy value 'DisableRollback' is 0
MSI (s) (D8:F0) [21:28:23:902]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:F0) [21:28:23:979]: Note: 1: 2318 2:
MSI (s) (D8:F0) [21:28:23:991]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1421650826,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (D8:F0) [21:28:23:991]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (D8:F0) [21:28:23:994]: Executing op: DialogInfo(Type=1,Argument=Virtio-win-driver-installer)
MSI (s) (D8:F0) [21:28:24:001]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
Action 21:28:24: Rollback. Rolling back action:
[...]
So basically what's happening here is that DriverPackageInstallW
is returning ERROR_DRIVER_STORE_ADD_FAILED
, presumably because the signature isn't valid. And then the installer helpfully does a complete rollback of everything it had done up to that point and tells the user to go do something productive with their life instead of trying to install virtio drivers.
The problem with Win10 pvpanic and stub-drivers should be fixed in https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.217-2/virtio-win-gt-x64.msi Win8 drivers need enabling testsigning in the BCD and our test-signing cert to be installed in the root and trustedpublisher certificate stores. I'm going to add this certificate to the virtio-win package in the next (latest) build.
Best, Vadim.
Can you confirm that the self signed cert you are now using will not have the following constraint
X509v3 Basic Constraints: critical
CA:TRUE
This makes it impossible to trust the certificate manually rather than enabling test signing.
@jborean93
Confirmed.The new certification was created without "-cy authority" flag to make sure that it has no Base Constraint property. This change was required to fix the embedded signature issue https://bugzilla.redhat.com/show_bug.cgi?id=2082021 The new certificate is effective from build 221 which planned to be used as the base for the next "latest" rpm.
Vadim.
Awesome, thanks for the confirmation.
Describe the bug The drivers for
pvpanic
,qemufwcfg
, andqemupciserial
in virtio-win 0.1.217 are signed with a self signed certificate. As well as this it has a CA constraint set which stops you from importing the self signed cert as a trusted root authority and then installing the driver.Here is the certificate used for
pvpanic
as a PEM fileThe contents decoded by OpenSSL are
You can verify that the issuer and subject match and the basic constraints has set
CA:TRUE
.To Reproduce Attempt to install one of these drivers on Windows will fail. The security details show the chain is not signed by a trusted root authority.
When manually trusting the cert by importing it into the root store it still fails due to the basic constraints being violated (CA cert being used as an end entity).
Expected behavior The driver(s) to be installable like the other drivers in the virtio package, or even if self signed the basic constraints being set properly to allow it to be trusted and installed manually.
I'm unsure what the policy is behind signing these drivers and whether it is possible to sign these 3 like the rest of them but it should be possible to install these drivers somehow.
Screenshots Added above in line where mentioned.
Host:
VM:
Additional context Add any other context about the problem here.