[Bug 40733] New: qxl driver not cross signed

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Sep 9 02:39:44 PDT 2011 

https://bugs.freedesktop.org/show_bug.cgi?id=40733

           Summary: qxl driver not cross signed
           Product: Spice
           Version: unspecified
          Platform: x86-64 (AMD64)
        OS/Version: Windows (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: win32 qxl
        AssignedTo: spice-bugs at lists.freedesktop.org
        ReportedBy: colin.higgs at ed.ac.uk


My OS: Windows 7 sp1 64 bit

Although the downloadable qxl driver binary[1] is signed with a Red Hat cert
rooted at verisign, it will still not load unless test mode is turned on[2].

Much reading, pursuit of false trails, brain fry and general gnashing of teeth
has led me to believe that this could be fixed by cross signing with the
microsoft-verisign cross certificate downloadable from the bottom of this page:

http://msdn.microsoft.com/en-us/windows/hardware/gg487315

A walk through on driver signing from microsoft:

http://msdn.microsoft.com/en-us/windows/hardware/gg487328

describes how to do this, but it boils down to:

Sign it something like this:

signtool sign /v /ac MSCV-VSClass3.cer /f redhat.cer /t
http://timestamp.verisign.com/scripts/timestamp.dll qxl.cat qxl.sys qxldd.dll

where MSCV-VSClass3.cer is the dowloaded cross certificate and /f redhat.cer
assumes the redhat signing certificate normally used to sign the drivers is in
a file called redhat.cer.

It's the /ac MSCV-VSClass3.cer bit that's different from what's being done now.

You can verify that this worked by doing this:

signtool verify /kp /v /c qxl.cat qxl.sys

which will show the certificate chain and verify that it is now rooted in a
Microsoft cert.

Unfortunately I've not been able to test the signing and verification because I
would need access to the Red Hat signing certificate (with private key) to do
so. 

[1] tested with:
http://www.spice-space.org/download/binaries/qxl-0.10-20112808.zip
http://www.spice-space.org/download/binaries/qxl-win-0.1010-20110308-d9eb3203bd.zip

[2] as described in http://spice-space.org/page/WinQXL

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the spice-bugs mailing list