[Spice-devel] Win7 64-bit QXL driver (binary) is not signed properly

Christophe Fergeau cfergeau at redhat.com
Mon Oct 7 18:15:42 CEST 2013

Hey Tsukasa,

On Sat, Oct 05, 2013 at 07:15:01PM +0900, Tsukasa #01 (Oi) wrote:
> [Possible solution]
> If my guess is right, this issue can be fixed by Red Hat. Specifically,
> code signing process can be fixed to use proper cross-certificate, which
> extends chain of trust from Microsoft (single root authority) to
> multiple CAs.
> I believe these links below will help Red Hat to fix this issue because
> Red Hat's code signing certificate is issued by VeriSign (Class 3)
> authority and Microsoft already has cross-certificate for that CA.
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff549832.aspx
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830.aspx
> http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx
> Adding "/ac" option to signtool command is the point. This option
> accepts cross-certificate file for argument and adds digital signature
> for cross-certificate along with standard Authenticode's one.
> I hope this will help Red Hat and SPICE + Windows guest users.

Thanks for the very detailed explanation, lots of things I didn't know in
your email ;) I've filed
https://bugzilla.redhat.com/show_bug.cgi?id=1016126 to track this issue.
I've tried to experiment with the /ac parameter myself but signtool does
not like me:
Error information: "CryptQueryObject" (-2147024893/0x80070003)
SignTool Error: An unexpected internal error has occurred.

The good news is that it's a much less critical issue after this

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131007/3e74ce54/attachment.pgp>

More information about the Spice-devel mailing list