virtio-win-pkg-scripts icon indicating copy to clipboard operation
virtio-win-pkg-scripts copied to clipboard
verified publisher icon virtio-win

Add the signing certificate to the ISO on top level

Open stumbaumr opened this issue 6 years ago • 7 comments

Hi,

I would like to automate the installation and upgrade of VirtIO-drivers.

To get past the "Accept the RedHat-Certificate to install"-Popup I want to use certutil.exe to import the required certificate before running pnputil. (see https://community.spiceworks.com/how_to/24713-silent-install-of-software-that-has-an-unsigned-driver ).

Can you please add the certificate in a folder or top-level on the ISO so it is easier to script the import/installation?

Best regards and Thanks Rainer

stumbaumr avatar Oct 02 '19 22:10 stumbaumr

The certs might be here already, so possibly automatable with network access: https://fedorapeople.org/groups/virt/unattended/drivers/postinst/spice-guest-tools/0.141/

Shortly we are looking to add an installer on the iso too which will do it automatically. But yes I think it's fair to also add the cert files directly on the iso too

crobinso avatar Oct 02 '19 22:10 crobinso

Thanks for that that link, but that virtio-0.141.cer Certificate expired on 30.12.2018 (12/30/2018, 2018-12-30). I can import it using certutil.exe, but the PopUp still appears...

I just extracted the current RedHat Certificate from the NetKVM\2k16\amd64\netkvm.cat file and used

certutil.exe -addstore -f "TrustedPublisher" "RedHat-2022-01-26.cer"

to install it to the cert store before installing the drivers silently.

Works, but the extraction process is IMHO additional and unnecessary work...

stumbaumr avatar Oct 03 '19 08:10 stumbaumr

Maybe also have a look at https://chocolatey.org/packages/virtio-drivers . Automated silent installations on Microsoft are broken on so many levels...

stumbaumr avatar Oct 03 '19 10:10 stumbaumr

@fidencio I'm kinda ignorant here. Didn't you have to track down a cert for libosinfo stuff recently? Can you provide some input?

crobinso avatar Jan 19 '20 17:01 crobinso

@crobinso, @stumbaumr,

So, what I've done in the past with certificates was:

  • Install a Windows guest;
  • Install the drivers and deal with the PopUp;
  • Go to the certutil / certmanager / whatever its called and export the public part of the certificate;
  • Add the public part of the certificate to the location where I would get the drivers from;

Ideally, we should have the certificates shipped, as its own file, as part of the drivers. However, I'm not exactly sure how easy would be to do that but that's totally worth investigation.

Does my reply answer the question raised?

fidencio avatar Jan 20 '20 08:01 fidencio

I think so. Sounds like the cert rarely changes so maybe it's fine to keep a copy in the virtio-win-pkg-scripts repo and stuff it into the iso/rpm

crobinso avatar Jan 20 '20 22:01 crobinso

Hi, thanks for looking into this.

If you have a look at this we are currently extracting the certificate from an installation file: https://github.com/DDoSolitary/chocolatey-packages/blob/master/virtio-drivers/tools/chocolateyInstall.ps1

It is important to be in sync with the actual installation files.

And on another note: If you change the ISOs content, give it a new version...

stumbaumr avatar Jan 21 '20 06:01 stumbaumr