Open stumbaumr opened 4 years ago
The certs might be here already, so possibly automatable with network access: https://fedorapeople.org/groups/virt/unattended/drivers/postinst/spice-guest-tools/0.141/
Shortly we are looking to add an installer on the iso too which will do it automatically. But yes I think it's fair to also add the cert files directly on the iso too
Thanks for that that link, but that virtio-0.141.cer Certificate expired on 30.12.2018 (12/30/2018, 2018-12-30). I can import it using certutil.exe, but the PopUp still appears...
I just extracted the current RedHat Certificate from the NetKVM\2k16\amd64\netkvm.cat file and used
certutil.exe -addstore -f "TrustedPublisher" "RedHat-2022-01-26.cer"
to install it to the cert store before installing the drivers silently.
Works, but the extraction process is IMHO additional and unnecessary work...
Maybe also have a look at https://chocolatey.org/packages/virtio-drivers . Automated silent installations on Microsoft are broken on so many levels...
@fidencio I'm kinda ignorant here. Didn't you have to track down a cert for libosinfo stuff recently? Can you provide some input?
@crobinso, @stumbaumr,
So, what I've done in the past with certificates was:
Ideally, we should have the certificates shipped, as its own file, as part of the drivers. However, I'm not exactly sure how easy would be to do that but that's totally worth investigation.
Does my reply answer the question raised?
I think so. Sounds like the cert rarely changes so maybe it's fine to keep a copy in the virtio-win-pkg-scripts repo and stuff it into the iso/rpm
Hi, thanks for looking into this.
If you have a look at this we are currently extracting the certificate from an installation file: https://github.com/DDoSolitary/chocolatey-packages/blob/master/virtio-drivers/tools/chocolateyInstall.ps1
It is important to be in sync with the actual installation files.
And on another note: If you change the ISOs content, give it a new version...
Hi,
I would like to automate the installation and upgrade of VirtIO-drivers.
To get past the "Accept the RedHat-Certificate to install"-Popup I want to use certutil.exe to import the required certificate before running pnputil. (see https://community.spiceworks.com/how_to/24713-silent-install-of-software-that-has-an-unsigned-driver ).
Can you please add the certificate in a folder or top-level on the ISO so it is easier to script the import/installation?
Best regards and Thanks Rainer