Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the signing certificate to the ISO on top level #17

Open
stumbaumr opened this issue Oct 2, 2019 · 7 comments
Open

Add the signing certificate to the ISO on top level #17

stumbaumr opened this issue Oct 2, 2019 · 7 comments

Comments

@stumbaumr
Copy link

Hi,

I would like to automate the installation and upgrade of VirtIO-drivers.

To get past the "Accept the RedHat-Certificate to install"-Popup I want to use certutil.exe to import the required certificate before running pnputil.
(see https://community.spiceworks.com/how_to/24713-silent-install-of-software-that-has-an-unsigned-driver ).

Can you please add the certificate in a folder or top-level on the ISO so it is easier to script the import/installation?

Best regards and Thanks
Rainer
@crobinso
Copy link
Collaborator

crobinso commented Oct 2, 2019

The certs might be here already, so possibly automatable with network access: https://fedorapeople.org/groups/virt/unattended/drivers/postinst/spice-guest-tools/0.141/

Shortly we are looking to add an installer on the iso too which will do it automatically. But yes I think it's fair to also add the cert files directly on the iso too

@stumbaumr
Copy link
Author

stumbaumr commented Oct 3, 2019
edited
Loading

Thanks for that that link, but that virtio-0.141.cer Certificate expired on 30.12.2018 (12/30/2018, 2018-12-30). I can import it using certutil.exe, but the PopUp still appears...

I just extracted the current RedHat Certificate from the NetKVM\2k16\amd64\netkvm.cat file and used

certutil.exe -addstore -f "TrustedPublisher" "RedHat-2022-01-26.cer"

to install it to the cert store before installing the drivers silently.

Works, but the extraction process is IMHO additional and unnecessary work...

@stumbaumr
Copy link
Author

Maybe also have a look at
https://chocolatey.org/packages/virtio-drivers .
Automated silent installations on Microsoft are broken on so many levels...

@crobinso
Copy link
Collaborator

@fidencio I'm kinda ignorant here. Didn't you have to track down a cert for libosinfo stuff recently? Can you provide some input?

@fidencio
Copy link
Contributor

@crobinso, @stumbaumr,

So, what I've done in the past with certificates was:

  • Install a Windows guest;
  • Install the drivers and deal with the PopUp;
  • Go to the certutil / certmanager / whatever its called and export the public part of the certificate;
  • Add the public part of the certificate to the location where I would get the drivers from;

Ideally, we should have the certificates shipped, as its own file, as part of the drivers. However, I'm not exactly sure how easy would be to do that but that's totally worth investigation.

Does my reply answer the question raised?

@crobinso
Copy link
Collaborator

I think so. Sounds like the cert rarely changes so maybe it's fine to keep a copy in the virtio-win-pkg-scripts repo and stuff it into the iso/rpm

@stumbaumr
Copy link
Author

Hi,
thanks for looking into this.

If you have a look at this we are currently extracting the certificate from an installation file:
https://github.com/DDoSolitary/chocolatey-packages/blob/master/virtio-drivers/tools/chocolateyInstall.ps1

It is important to be in sync with the actual installation files.

And on another note: If you change the ISOs content, give it a new version...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fidencio @crobinso @stumbaumr