[Spice-devel] Win7 64-bit QXL driver (binary) is not signed properly
Christophe Fergeau
cfergeau at redhat.com
Mon Oct 7 18:15:42 CEST 2013
Hey Tsukasa,
On Sat, Oct 05, 2013 at 07:15:01PM +0900, Tsukasa #01 (Oi) wrote:
> [Possible solution]
>
> If my guess is right, this issue can be fixed by Red Hat. Specifically,
> code signing process can be fixed to use proper cross-certificate, which
> extends chain of trust from Microsoft (single root authority) to
> multiple CAs.
> I believe these links below will help Red Hat to fix this issue because
> Red Hat's code signing certificate is issued by VeriSign (Class 3)
> authority and Microsoft already has cross-certificate for that CA.
>
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff549832.aspx
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830.aspx
> http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx
>
> Adding "/ac" option to signtool command is the point. This option
> accepts cross-certificate file for argument and adds digital signature
> for cross-certificate along with standard Authenticode's one.
>
> I hope this will help Red Hat and SPICE + Windows guest users.
Thanks for the very detailed explanation, lots of things I didn't know in
your email ;) I've filed
https://bugzilla.redhat.com/show_bug.cgi?id=1016126 to track this issue.
I've tried to experiment with the /ac parameter myself but signtool does
not like me:
Error information: "CryptQueryObject" (-2147024893/0x80070003)
SignTool Error: An unexpected internal error has occurred.
The good news is that it's a much less critical issue after this
announcement:
http://lists.freedesktop.org/archives/spice-devel/2013-October/014789.html
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131007/3e74ce54/attachment.pgp>
More information about the Spice-devel
mailing list