Hide Forgot
See http://lists.freedesktop.org/archives/spice-devel/2013-October/014747.html for a very detailed explanation. It seems we are signing our qxl and virtio drivers differently (before sending them to MS to get them whql'ed). Once the driver is whql'ed, this is not causing issues, but it would still be cleaner to fix our signtool call if this is indeed an issue. In the mail linked above, Tsukasa #01 (Oi says: « [What is suspected for causing this issue] In short, driver file qxl.sys and catalog file qxl.cat are not properly signed (unlike other SPICE + Red Hat binaries such as netkvm.{sys,cat}). It looks they are signed by Red Hat (actually, it's signed using Authenticode) but they don't have proper signatures for drivers. 64-bit Windows requires Kernel Mode Code Signing (KMCS) for drivers and/or any PE modules which is marked integrity-checked. The point here is, KMCS enforces modules to be trusted by Microsoft (directly or indirectly through cross-certificate). This is *not just Authenticode*. Differences between KMCS (+Authenticode) and standard Authenticode are totally invisible from standard right-clicking method (I think this is the reason which made confusion in previous threads) but you can confirm using method described at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff553929.aspx You can easily see the difference. Except of RHEV's one, "signtool verify /kp /v /c netkvm.cat netkvm.sys" returns success and "signtool verify /kp /v /c qxl.cat qxl.sys" returns error (/kp is the option to verify using KMCS policy). I verified RHEV drivers (which is not causing errors but a bit old) too and I found the only reason 64-bit Windows accepts RHEV's QXL driver is because qxl.cat (the catalog file) is correctly signed by Microsoft (qxl.sys isn't properly signed but it works because of valid WHQL catalog file which is installed together). [Possible solution] If my guess is right, this issue can be fixed by Red Hat. Specifically, code signing process can be fixed to use proper cross-certificate, which extends chain of trust from Microsoft (single root authority) to multiple CAs. I believe these links below will help Red Hat to fix this issue because Red Hat's code signing certificate is issued by VeriSign (Class 3) authority and Microsoft already has cross-certificate for that CA. http://msdn.microsoft.com/en-us/library/windows/hardware/ff549832.aspx http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830.aspx http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx Adding "/ac" option to signtool command is the point. This option accepts cross-certificate file for argument and adds digital signature for cross-certificate along with standard Authenticode's one. I hope this will help Red Hat and SPICE + Windows guest users. » Looking at the ini files for virtio drivers and for qxl, the virtio-win drivers are signed with: # use the cross-cert and driver verification policy for .sys and .cat files for file in $(/usr/bin/find . -name \*.sys -print -o -name \*.cat -print); do /cygdrive/c/WinDDK/$DDKVER/bin/x86/signtool.exe sign \ /s my /n "Red Hat, Inc." /ac "$(cygpath -wa $spec_dir/After_10-10-10_MSCV-VSClass3.cer)" \ /t "http://timestamp.verisign.com/scripts/timstamp.dll" /v "$(cygpath -wa $file)" done while the qxl driver is signed using: SignTool sign /s MY /n "Red Hat, Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll /v qxldd.dll qxl.sys qxl.cat The virtio-win drivers indeed have an additional /ac "$(cygpath -wa $spec_dir/After_10-10-10_MSCV-VSClass3.cer)" argument passed to signtool.
This is now fixed in git.
Works in qxl-win-0.1-21: c:\Users\djasa\Desktop>signtool verify /kp /v /c w7\amd64\qxl.cat w7\amd64\qxl.sys Verifying: w7\amd64\qxl.sys File is signed in catalog: w7\amd64\qxl.cat Hash of file (sha1): 590C6E1967DE33AFB17ECDFA910608D34560AE5A Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 The signature is timestamped: Fri Aug 09 18:37:09 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 13:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Fri Jun 27 20:08:28 2014 SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6 Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 Successfully verified: w7\amd64\qxl.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 c:\Users\djasa\Desktop>signtool verify /kp /v /c w7\x86\qxl.cat w7\x86\qxl.sys Verifying: w7\x86\qxl.sys File is signed in catalog: w7\x86\qxl.cat Hash of file (sha1): 0E57DEBD9B6D01853682DC6D1A287DD55E601468 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 The signature is timestamped: Fri Aug 09 18:37:09 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 13:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Fri Jun 27 20:08:28 2014 SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6 Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 Successfully verified: w7\x86\qxl.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 c:\Users\djasa\Desktop>signtool verify /kp /v /c xp\x86\qxl.cat xp\x86\qxl.sys Verifying: xp\x86\qxl.sys File is signed in catalog: xp\x86\qxl.cat Hash of file (sha1): 7A023269D2248D454E151C6464C535568DDDC580 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 The signature is timestamped: Fri Aug 09 18:37:09 2013 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 13:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Fri Jun 27 20:08:28 2014 SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6 Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Sun May 09 23:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Hardware Compatibility PCA Issued by: Microsoft Root Certificate Authority Expires: Thu Jun 04 21:15:46 2020 SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78 Issued to: Microsoft Windows Hardware Compatibility Publisher Issued by: Microsoft Windows Hardware Compatibility PCA Expires: Sat Aug 16 18:48:57 2014 SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403 Successfully verified: xp\x86\qxl.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0
IIUC this bug does not concert RHEV product (as it never shipped non-WHQL drivers) so shouldn't we rather close this as CURRENTRELEASE?
The way I understand things is that the WHQL signature is an additional MS signature on top of the Red Hat signatures we set on the driver. One of these Red Hat sigs happened to be wrong/missing, but the WHQL signature takes precedence, so the wrong signature is not really an issue with WHQL drivers. Not sure what difference it makes on non-WHQL drivers, maybe not much of a change either. So this bug is more about correctness/cleanliness rather than fixing an observable issue. I'm fine with any resolution status for this bug.
(In reply to Christophe Fergeau from comment #6) > ... > Not sure what difference it makes on non-WHQL drivers, maybe not > much of a change either. Exactly the opposite: the driver with wrong signing can not be used unless you enable testsigning mode (which you should not do unless you're developing a driver). The driver with the fix works just fine after you confirm trust to RH-signed code.
(In reply to David Jaša from comment #5) > IIUC this bug does not concert RHEV product (as it never shipped non-WHQL > drivers) so shouldn't we rather close this as CURRENTRELEASE? Yes, RHEV is shipped only with WHQL'd drivers.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0053.html