On first step add certificate(s) to cert:\LocalMachine\TrustedPublisher

[ggzengel]

I already made an issue at https://github.com/crobinso/virtio-win-pkg-scripts/issues/26. But I think the right place will be here.

Silent install with virtio-win-gt-x64.msi is not possible because windows is asking for trust on driver publisher. If you store, in the first step, the certificate at cert:\LocalMachine\TrustedPublisher the install will work.

[vrozenfe]

That's true for non WHQL-signed drivers. Properly WHQL-signed drivers should be installed silently.

[ggzengel]

Is there something planed because Virtio drivers are not WHQL-signed?

[vrozenfe]

WHQL-signed virtio-win drivers are available for downloading to RHEL customers only. Unfortunately, I am not aware of any plans to change this policy at the moment.

Vadim.

[rgl]

I believe what is being requested is to automatically trust the driver publisher certificate. For example, I'm using the following PowerShell script at https://github.com/rgl/windows-vagrant/blob/master/provision-guest-tools-qemu-kvm.ps1#L15-L24:

# trust the qemu driver publisher certificate.
# NB this is needed for the qemu-gt silent installation to succeed.
# NB qemu-gt is bundled in virtio-win-guest-tools.exe.
$catPath = 'A:\netkvm.cat'
$cerPath = "$env:TEMP\$(Split-Path -Leaf $catPath)" -replace '\.cat$','.cer'
Write-Host "Getting the qemu driver publisher certificate from $catPath..."
$certificate = (Get-AuthenticodeSignature $catPath).SignerCertificate
Write-Host "Trusting the qemu $($certificate.Subject) driver publisher certificate..."
[System.IO.File]::WriteAllBytes($cerPath, $certificate.Export('Cert'))
Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher $cerPath | Out-Null

Can we submit a PR to include this in the installer itself?

[ggzengel]

I believe what is being requested is to automatically trust the driver publisher certificate.

Yes that's the title of this issue. I already posted this script:

$DriverPath = Get-Item "d:\virtio-win-0.1.173\*\2k12r2\amd64" 

$CertStore = Get-Item "cert:\LocalMachine\TrustedPublisher" 
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

Get-ChildItem -Recurse -Path $DriverPath -Filter "*.cat" | % {
    $Cert = (Get-AuthenticodeSignature $_.FullName).SignerCertificate

    Write-Host ( "Added {0}, {1} from {2}" -f $Cert.Thumbprint,$Cert.Subject,$_.FullName )

    $CertStore.Add($Cert)
}

$CertStore.Close()

[FlorianHeigl]

@ggzengel @rgl well it's good that there's two examples for how to do this. could you maybe try to work together to make one solution that you both find +++ good?

then people can submit a doc PR to make it an easy to follow procedure (that also includes the install with the msi)

Otherwise the RH play of not handing out WHQL drivers and trusting that the community will not be able to take the lead will always work.

[gushmazuko]

I found another solution:

1. In your test environment, install the program fully and be sure to click Always trust software from [Publisher]
2. Run certmgr.msc and navigate to Trusted Publishers then Certificates
3. The certificate from the publisher will show up there. Right click and click All Tasks -> Export. Save the file.

You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:

certutil -addstore "TrustedPublisher" MyCertificate.cer

or

Start-Process -FilePath 'C:\Windows\System32\certutil.exe' -ArgumentList '-addstore TrustedPublisher D:\MyCertificate.cer' -Wait

Link: http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/