scream icon indicating copy to clipboard operation
scream copied to clipboard

Published 20 hours ago verified publisher icon duncanthrax

Certificate from Tom is not valid anymore

Open infelicitatis opened this issue 1 year ago • 5 comments

I tried to install Scream on my physcial win 11 machine.

i set the registry key (as i have secure boot enabled so bitlocker works) and rebooted

when launching Install-x64 from the 4.0 release as admin, i get: Scream3.9\Install\driver\x64\Scream.inf. devcon-x64 failed. (image 1)

same error for 32 bit version and 3.9 release.

it left behind an unrecognized device in the device manager though

trying to find the reason i go to the device manager and try to install driver through gui: i get a message that win has found drivers in the folder but there was an error installing them: Scream (WDM) and that i should look on the website of the device manufacturer for drivers. (image 2)

further trying to narrow down the error, i open the scream security catalog in the driver section of the release. here i get the error (translated from german): Information for security catalog: the security catalog is invalid, the certificate used to signed it is invalid

i click on "view signature" i get (again translated from german): information for digital signature: an required certificate is not within valid period compared to system time or the timestamp in the file

as my system time is set correctly i click on "show cert" this cert is either not valid anymore or not valid yet made for: tom kistner made from: sectigo rsa code signing ca valid from: 6.7.2020 valid till: 7.7.2023

as we have 2024 i guess this is the problem. (image 3)

is there a workaround? will there be an release with an valid cert? how can i still install scream?

thanks for your project, i hope my english isnt to broken for you to understand.

images: grafik grafik grafik

infelicitatis avatar Feb 18 '24 15:02 infelicitatis

you can workaround this problem by manully changing your system time to an early point (2021 maybe)

image

then re-execute install-x64.bat as administrator

kingsidelee avatar Feb 20 '24 19:02 kingsidelee

Changing the date works indeed, but don't make it too early (like i did). This date works: image

janmechtel avatar Feb 28 '24 08:02 janmechtel

I'm stuck with this issue as I'm in an environment where there is no possibility to change the date/time to an incorrect one. That being on an Azure VM. Can we expect an updated cert for this driver?

deephack1982 avatar May 08 '24 11:05 deephack1982

I'm stuck with this issue as I'm in an environment where there is no possibility to change the date/time to an incorrect one. That being on an Azure VM. Can we expect an updated cert for this driver?

Sorry, but no. Cross-signed does not work for kernel code any more, and the official way needs spending 4-figure sums, plus you need to jump through some burning hoops at Microsoft. If they would accept pure virtual driver code at all (the process is all about "Hardware").

duncanthrax avatar May 09 '24 09:05 duncanthrax

FYI, in https://github.com/actions/runner-images/issues/2528#issuecomment-2132193207 I posted a script that works around this issue by re-signing the driver with a self-signed certificate and adding that certificate to the Windows trust store. This will only work if Windows is booted in test-signing mode, though.

dechamps avatar May 26 '24 12:05 dechamps