Open ggzengel opened 4 years ago
That's true for non WHQL-signed drivers. Properly WHQL-signed drivers should be installed silently.
Is there something planed because Virtio drivers are not WHQL-signed?
WHQL-signed virtio-win drivers are available for downloading to RHEL customers only. Unfortunately, I am not aware of any plans to change this policy at the moment.
Vadim.
I believe what is being requested is to automatically trust the driver publisher certificate. For example, I'm using the following PowerShell script at https://github.com/rgl/windows-vagrant/blob/master/provision-guest-tools-qemu-kvm.ps1#L15-L24:
# trust the qemu driver publisher certificate.
# NB this is needed for the qemu-gt silent installation to succeed.
# NB qemu-gt is bundled in virtio-win-guest-tools.exe.
$catPath = 'A:\netkvm.cat'
$cerPath = "$env:TEMP\$(Split-Path -Leaf $catPath)" -replace '\.cat$','.cer'
Write-Host "Getting the qemu driver publisher certificate from $catPath..."
$certificate = (Get-AuthenticodeSignature $catPath).SignerCertificate
Write-Host "Trusting the qemu $($certificate.Subject) driver publisher certificate..."
[System.IO.File]::WriteAllBytes($cerPath, $certificate.Export('Cert'))
Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher $cerPath | Out-Null
Can we submit a PR to include this in the installer itself?
I believe what is being requested is to automatically trust the driver publisher certificate.
Yes that's the title of this issue. I already posted this script:
$DriverPath = Get-Item "d:\virtio-win-0.1.173\*\2k12r2\amd64"
$CertStore = Get-Item "cert:\LocalMachine\TrustedPublisher"
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
Get-ChildItem -Recurse -Path $DriverPath -Filter "*.cat" | % {
$Cert = (Get-AuthenticodeSignature $_.FullName).SignerCertificate
Write-Host ( "Added {0}, {1} from {2}" -f $Cert.Thumbprint,$Cert.Subject,$_.FullName )
$CertStore.Add($Cert)
}
$CertStore.Close()
@ggzengel @rgl well it's good that there's two examples for how to do this. could you maybe try to work together to make one solution that you both find +++ good?
then people can submit a doc PR to make it an easy to follow procedure (that also includes the install with the msi)
Otherwise the RH play of not handing out WHQL drivers and trusting that the community will not be able to take the lead will always work.
I found another solution:
Always trust software from [Publisher]
certmgr.msc
and navigate to Trusted Publishers
then Certificates
All Tasks
-> Export
. Save the file.You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:
certutil -addstore "TrustedPublisher" MyCertificate.cer
or
Start-Process -FilePath 'C:\Windows\System32\certutil.exe' -ArgumentList '-addstore TrustedPublisher D:\MyCertificate.cer' -Wait
I already made an issue at https://github.com/crobinso/virtio-win-pkg-scripts/issues/26. But I think the right place will be here.