RedHad signature in https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso is expired

[dmachaj]

The direct links to both stable and latest point to virtio-win-0.1.215.iso at this time. The RedHat signature used to sign the drivers in that image expired on 1/25/2022. As a result I am unable to get the certificate installed as a root Trusted Publisher on a Windows client because it is rejected for expiry reasons.

Is there a new release available with a non-expired signature? Thank you.

[vrozenfe]

@dmachaj You are right. Unfortunately, the RH signature is expired and we can not use it anymore for the driver signing purpose. The good thing is that this problem should affect Win8/Win8.1/WS2012(R2) drivers only. All Win10+ drivers should be attestation signed, which lets them to be installed even on UEFI platforms without any problem.

Currently we are planning to release test-signed drivers for Win8+ platforms and attestation signed drivers for Win10+ We will try to improve this situation as much as possible.

Best, Vadim.

[dmachaj]

My immediate problem is that installing the drivers and integration tools will show the "Do you trust this publisher?" UI for Red Hat, even when running the installers in /quiet mode. That UI prevents them from installing from the command-line which is what I need.

Importing the certificate to the machine-scope TrustedPublishers list solves that problem. Because the certificate is expired the PowerShell Import-Certificate cmdlet will reject the certificate. However, certutil -addstore -f "TrustedPublisher" certificate.cer does not reject it, allowing the import to succeed.

Long story short - I have a viable workaround to accomplish my goal. It would be easier if the certificate was not expired, but it is not a total blocker.