In virtio-win-0.1.185 and virtio-win-0.1.190, signatures for some NetKVM and viostor driver packages are invalid about virtio-win-pkg-scripts HOT 10 OPEN

Most likely this issue: #41
Is caused by this one

from virtio-win-pkg-scripts.

@vrozenfe

Any updates on this? It's quite critical.

from virtio-win-pkg-scripts.

@alexey-buluy
Sorry for delay in response.

The last good one SHA-1 signed drivers should be in build 174 from 12/12/2019.
We don't build pre-Win8 drivers any longer, but we keep distributing the old
ones. It used to be a problem in rpm 185 that was coming with old drivers from
build 175. Unfortunately build 175 was broken due to SHA-1 signing deprecation.
This problem should be fixed in rpm 190

Regards,
Vadim.

from virtio-win-pkg-scripts.

@vrozenfe

But build 174 aren't available from https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/
It's simply not there. Am I looking in the wrong place? Checked others in there, builds of version 173 and prior aren't usable, as certificates expired already, and 185 and later has broken signatures.

It's OK about the distributing the old drivers for pre-Win8, but they still need proper signatures, so it will be a good idea to re-sign them using the latest certificates. Because while I totally could install the new trusted CA certificate in the system to make verification work, I cannot make the obsolete certificate working again after its expiration date. Pre-Win8 operating systems still widely used in banking, healthcare, etc and doesn't seem like they will be retired any time soon, unfortunately.

from virtio-win-pkg-scripts.

Can you try 190 (https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.190-1/)
This rpm is a mix of new drivers (build 190) for Win8 and higher and old drivers for WinXP/WS2003/Win7.

Unfortunately , it is not possible to resign the old drivers for a couple of reasons. SHA-1 is deprecated ( https://docs.microsoft.com/en-us/sysinternals/announce/sha1deprecation ) and we don't have any valid SHA-2 certification
to run a cross-signing process on Win7 drivers. The cross signing process itself is also deprecated since Feb 22 2021 ( https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates )

We are going to provide community with attestation signed drivers ( https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release ), even though that this solution will work for Win10 drivers only.

Regards,
Vadim.

from virtio-win-pkg-scripts.

@vrozenfe

Checked 190 - signature certificates are OK, but driver catalog seems flawed - SignTool verifying the signature for netkvm.sys correctly, but can't find netkvm.inf in the catalog, like it was edited after making the signature:

Successfully verified: netkvm.sys

Verifying: netkvm.inf
SignTool Error: File not found in the specified catalog.
SignTool Error: File not valid: netkvm.inf

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 1

from virtio-win-pkg-scripts.

Hi Alexey,

So, does it fail to install on your system? What is your Windows OS version and the drivers installation
path/location on virtio-win iso?

Vadim.

from virtio-win-pkg-scripts.

@vrozenfe

Hi Vadim!

To give the context:

We're using our own automated virtualization system based on KVM. To improve networking performance, we're trying to use VirtIO networking adapters instead of emulated E1000. We're testing it with ALL client and server versions of Windows of both architectures, and to make the process seamless we're integrating the VirtIO drivers directly inside the offline VMs before starting it, so when Windows will start and detect the VirtIO Ethernet adapter, it will already have the required drivers and could install it automatically without ANY user interaction.

To make this work, it is required for drivers to have proper signatures, as without that, depending on the version of Windows, it will either refuse to install the drivers completely or will ask the user for permission to install the driver with improper signature.

So, the issue is not what it fails to install on some systems, the issue is what it fails to install seamlessly without user interaction. With full user interaction, we're able to install them, but it's not what we need or want. So, what we currently got on our hands:

For Windows versions:

Windows Server 2012
Windows Server 2012R2
Windows Server 2016
Windows Server 2019
Windows 8
Windows 8.1
Windows 10

For both x86 and x64 - drivers from release 185 integrating correctly as they have valid signatures, and installing correctly without user interaction after system starts. But for the rest:

Windows Server 2003 and XP - driver signatures invalid for build 185, so system always asking user to allow to install the unsigned drivers. Can't work it around due to https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/298503
Tried drivers from release 141 - driver is signed properly in there, but certificate is expired long ago, so it's also treated by system as unsigned. As a result, wasn't able yet to integrate any version of drivers for these systems seamlessly.

Windows Server 2008/2008R2/7 - driver signature invalid for build 185, so always asking user to allow to install the unsigned driver. Was able to seamlessly integrate drivers with proper signatures from release 141 properly after also injecting the required certificates into the system, but there is another issue - for x86 systems of this family, driver release 141 aren't working properly - Ethernet adapter aren't properly initialized and always says "Media disconnected", so there is not much gain in that as only x64 systems able to use it.

Regards,
Alexey

from virtio-win-pkg-scripts.

@vrozenfe I have similar problem with VirtIO drivers for Windows Server 2019 version (virtual machine). Installation process can't use any of viostor, vioser and so on.
I've tried many ISO versions, also latest (0.1.204), but with no luck :-/

EDIT: I've fixed this with using older Windows Server 2019 image

from virtio-win-pkg-scripts.

@tom-i
If it works with one Windows Server 2019 distribution media but fails with other then it might be that the image has been corrupted or altered from the original. Can you verify the problematic iso image hash?

Thanks,
Vadim.

from virtio-win-pkg-scripts.