Bug 1908394

Summary: Windows 2008 and Windows 7 unable to install viostor.sys because the signature of the driver is SHA256
Product: [Community] Virtualization Tools Reporter: roy.lemmon
Component: virtio-winAssignee: Meirav Dean <mdean>
Status: CLOSED WONTFIX QA Contact: menli <menli>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ghammer, haoliu, lijin, roy.lemmon, virt-maint, vrozenfe, yvugenfi
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-23 09:49:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description roy.lemmon 2020-12-16 15:40:57 UTC 
Description of problem:
Windows2008, Windows 2008R2 and Windows 7 can not install the viostor.sys driver because of an invalid signature.   The signature was found to be signed ads SHA256 where in prior versions it was SHA1.


Version-Release number of selected component (if applicable): virtio-win-0.1.185-2


How reproducible:
100%

Steps to Reproduce:
1.  Use device manager to update the viostor.sys driver to the 0.1.185-2 version.
 
2.  You will be warned that the driver is not properly signed.

3.  If you proceed and install the driver anyway the guest will fail to boot.

Actual results: Guest fails to boot.


Expected results: Guest should boot.


Additional info:  I have confirmed that the signature in the 171 and the newer 190 version are both SHA1 and these versions do allow the guest to boot.
Comment 1 Vadim Rozenfeld 2020-12-16 21:56:54 UTC 
Unfortunately, SHA-1 code signing is not provided anymore starting July 2019
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
at the same time RH has no SHA-2 to sign Win7/WS2008(R2) drivers, so we've decided to discontinue building pre-Win8 
drivers, but continue shipping the "last good known" SHA-1 signed drivers in the future virtio-win packages.
As you already mentioned, 185-2 has all pre-Win8 drivers signed with SHA-256 signature and should not be used 
for installing or updating drivers on Win7/WS2008(R2) platforms. This problem was fixed in the most recent packages
as 190-1 for example (https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.190-1)
where for Win7/WS2008(R2) platforms we use SHA-1 signed drivers from build 174.


I suggest closing this bug as wantfix.

Regards,
Vadim.
Comment 2 roy.lemmon 2020-12-17 12:44:34 UTC 
Thank you for the explanation. I agree that this bug should be closed as wontfix.