1227164 – viostor/vioscsi is not digital signed by Redhat

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1227164 - viostor/vioscsi is not digital signed by Redhat

Summary: viostor/vioscsi is not digital signed by Redhat

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	virtio-win
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Vadim Rozenfeld
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1202642 (view as bug list)
Depends On:	1226928
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-02 03:25 UTC by Mike Cao
Modified:	2015-11-24 08:51 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	NO_DOCS
Clone Of:	1226928
Environment:
Last Closed:	2015-11-24 08:51:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2513	0	normal	SHIPPED_LIVE	virtio-win bug fix and enhancement update	2015-11-24 13:38:38 UTC

Description Mike Cao 2015-06-02 03:25:36 UTC

+++ This bug was initially created as a clone of Bug #1226928 +++

Description of problem:
Installing the VirtIO drivers for Windows 2k12 afterwards fails.
The drivers are rejected due to an invalid catalog file.
Force-installing the drivers leads to a BSOD.


Version-Release number of selected component (if applicable):
 https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.104-1/virtio-win-0.1.104.iso
but also "virtio-win-0.1.103.iso" and "virtio-win-0.1-81.iso

How reproducible:
Every time


Steps to Reproduce:
1. Install Windows 2k12 without VirtIO
2. Add VirtIO HD afterwards
3. Mount ISO and try to install viostor.sys

Actual results:

Processing inf :            vioscsi.inf
Adding the driver package failed : The hash for the file is not present in the specified catalog file. The file is likely corrupt or the victim of tampering.

Processing inf :            viostor.inf
Adding the driver package failed : The hash for the file is not present in the specified catalog file. The file is likely corrupt or the victim of tampering.


Expected results:
Working VirtIO-HD.


Additional info:
Using the same ISO during the initial install and installing the VirtIO drivers from the beginning works without problems. The Windows installer seems to ignore the signature mismatch that early.

Running the following command on 0.1.104 prints (among others) the
following sha1hash:
> "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" /verify
/v /kp E:\NetKVM\2k12\amd64\netkvm.sys
...
> Hash of file (sha1): 135E3AA23217610AEE8046F68550B0BA86F4EAE6

> "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" /verify
/v /kp E:\viostor\2k12\amd64\viostor.sys
...
> Hash of file (sha1): EF11F5E539EEE0A9DB6DF3710A0DAA35066C5607

Looking into the corresponding .cat "Security Catalog File"
- netkvm.cat contains the above given hash for netkvm.sys,
- viostor.cat contains 55FC4DA2EE96ECC3FD4865680436DCDA6B8C6BDD instead!

Running "sha1sum" on Linux print some completely different hashes, so I
don't know what the Microsoft tool actually hash:

> # sha1sum /cdrom/NetKVM/2k12/amd64/netkvm.sys /cdrom/viostor/2k12/amd64/viostor.sys 
> 1aa91c8e1d7680457d92c1875810a79f68af536d  /cdrom/NetKVM/2k12/amd64/netkvm.sys
> f39bc2b561091addfcac30e370227c91700d2698  /cdrom/viostor/2k12/amd64/viostor.sys


See Bug #1117055 for a similar bug.

--- Additional comment from Philipp Hahn on 2015-06-01 21:01:02 CST ---



--- Additional comment from Philipp Hahn on 2015-06-01 21:01:30 CST ---



--- Additional comment from Mike Cao on 2015-06-02 11:23:52 CST ---

I can install the driver successfully but I think the root cause for reporter is the driver is not digital signed by Redhat ( I can reproduce this)

Cloning this bug on RHEL as well

Comment 2 Vadim Rozenfeld 2015-06-03 11:57:19 UTC

Please re-check with the drivers from build 105 available from
http://download.devel.redhat.com/brewroot/packages/virtio-win-prewhql/0.1/105/win/virtio-win-prewhql-0.1.zip

Comment 3 Mike Cao 2015-06-04 06:18:16 UTC

Verified this issue on  build 105

Steps same as comment #0.

Actual Results:

The driver can be installed smoothly ,driver is digital signed by Redhat.

Based on above ,this issue has been fixed ald.

Comment 4 lijin 2015-06-05 03:13:34 UTC

change status to verified according to comment#3

Comment 5 Vadim Rozenfeld 2015-06-19 11:17:45 UTC

*** Bug 1202642 has been marked as a duplicate of this bug. ***

Comment 6 Matthias Seuchter 2015-09-17 14:00:39 UTC

after some researches, I have noticed, that Version 1.105 is correct signed, and can be installed correct, 1.102 not and latest version 1.109 again not.

please be in mind, that the signing certificate runs out of date 2015-11-29 too, so there is a very high need to update this certificate also!

Comment 7 Cole Robinson 2015-09-17 14:51:56 UTC

(In reply to Matthias Seuchter from comment #6)
> after some researches, I have noticed, that Version 1.105 is correct signed,
> and can be installed correct, 1.102 not and latest version 1.109 again not.
> 
> please be in mind, that the signing certificate runs out of date 2015-11-29
> too, so there is a very high need to update this certificate also!

This seems like it's referencing the public fedora builds, but this bug is about the RHEL version. Please file a separate bug at https://bugzilla.redhat.com/enter_bug.cgi?product=Virtualization%20Tools&component=virtio-win

Comment 10 errata-xmlrpc 2015-11-24 08:51:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2513.html

Note You need to log in before you can comment on or make changes to this bug.