Add the signing certificate to the ISO on top level

virtio-win / virtio-win-pkg-scripts

Scripts for packaging virtio-win drivers

GNU General Public License v2.0

1.96k stars 151 forks source link

Add the signing certificate to the ISO on top level #17

Open stumbaumr opened 4 years ago

stumbaumr commented 4 years ago

Hi,

I would like to automate the installation and upgrade of VirtIO-drivers.

To get past the "Accept the RedHat-Certificate to install"-Popup I want to use certutil.exe to import the required certificate before running pnputil. (see https://community.spiceworks.com/how_to/24713-silent-install-of-software-that-has-an-unsigned-driver ).

Can you please add the certificate in a folder or top-level on the ISO so it is easier to script the import/installation?

Best regards and Thanks Rainer

crobinso commented 4 years ago

The certs might be here already, so possibly automatable with network access: https://fedorapeople.org/groups/virt/unattended/drivers/postinst/spice-guest-tools/0.141/

Shortly we are looking to add an installer on the iso too which will do it automatically. But yes I think it's fair to also add the cert files directly on the iso too

stumbaumr commented 4 years ago

Thanks for that that link, but that virtio-0.141.cer Certificate expired on 30.12.2018 (12/30/2018, 2018-12-30). I can import it using certutil.exe, but the PopUp still appears...

I just extracted the current RedHat Certificate from the NetKVM\2k16\amd64\netkvm.cat file and used

certutil.exe -addstore -f "TrustedPublisher" "RedHat-2022-01-26.cer"

to install it to the cert store before installing the drivers silently.

Works, but the extraction process is IMHO additional and unnecessary work...

stumbaumr commented 4 years ago

Maybe also have a look at https://chocolatey.org/packages/virtio-drivers . Automated silent installations on Microsoft are broken on so many levels...

crobinso commented 4 years ago

@fidencio I'm kinda ignorant here. Didn't you have to track down a cert for libosinfo stuff recently? Can you provide some input?

fidencio commented 4 years ago

@crobinso, @stumbaumr,

So, what I've done in the past with certificates was:

Install a Windows guest;
Install the drivers and deal with the PopUp;
Go to the certutil / certmanager / whatever its called and export the public part of the certificate;
Add the public part of the certificate to the location where I would get the drivers from;

Ideally, we should have the certificates shipped, as its own file, as part of the drivers. However, I'm not exactly sure how easy would be to do that but that's totally worth investigation.

Does my reply answer the question raised?

crobinso commented 4 years ago

I think so. Sounds like the cert rarely changes so maybe it's fine to keep a copy in the virtio-win-pkg-scripts repo and stuff it into the iso/rpm

stumbaumr commented 4 years ago

Hi, thanks for looking into this.

If you have a look at this we are currently extracting the certificate from an installation file: https://github.com/DDoSolitary/chocolatey-packages/blob/master/virtio-drivers/tools/chocolateyInstall.ps1

It is important to be in sync with the actual installation files.

And on another note: If you change the ISOs content, give it a new version...