Changeset 107973 in vbox for trunk/src/VBox/GuestHost

Timestamp:

Jan 29, 2025 9:30:26 AM (3 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

167232

Message:

Windows driver installation: Fixed the ERROR_AUTHENTICODE_TRUST_NOT_ESTABLISHED error, added documentation and give a clue to users why this might have failed. See source for details. bugref:10762

Location:

trunk/src/VBox/GuestHost/installation

Files:

• VBoxDrvInst.cpp (modified) (1 diff)
• VBoxWinDrvInst.cpp (modified) (2 diffs)

trunk/src/VBox/GuestHost/installation/VBoxDrvInst.cpp

@@ -437 +437 @@
     uint64_t uOsVer = 0;
 
-    /* By default we want to force an installation and be silent. */
-    uint32_t fInstall = VBOX_WIN_DRIVERINSTALL_F_SILENT | VBOX_WIN_DRIVERINSTALL_F_FORCE;
+    /* By default we want to force an installation.
+     *
+     * However, we do *not* want the installation to be silent by default,
+     * as this this will result in an ERROR_AUTHENTICODE_TRUST_NOT_ESTABLISHED error
+     * if drivers get installed with our mixed SHA1 / SH256 certificates on older
+     * Windows guest (7, Vista, ++).
+     *
+     * So if the VBOX_WIN_DRIVERINSTALL_F_SILENT is missing, this will result in a
+     * (desired) Windows driver installation dialog to confirm (or reject) the installation
+     * by the user.
+     *
+     * On the other hand, for unattended installs we need VBOX_WIN_DRIVERINSTALL_F_SILENT
+     * being set, as our certificates will get installed into the Windows certificate
+     * store *before* we perform any driver installation.
+     */
+    uint32_t fInstall = VBOX_WIN_DRIVERINSTALL_F_FORCE;
 
     /* Whether to ignore reboot messages or not. This will also affect the returned exit code. */

trunk/src/VBox/GuestHost/installation/VBoxWinDrvInst.cpp

@@ -1310 +1310 @@
                     /* For anything else we want to get notified that something isn't working. */
                     if (!fRc)
-                        rc = vboxWinDrvInstLogLastError(pCtx, "DiInstallDriverW() failed");
+                    {
+                        switch (dwErr)
+                        {
+                            case ERROR_AUTHENTICODE_TRUST_NOT_ESTABLISHED:
+                            {
+                                /* For silent installs give a clue why this might have failed. */
+                                if (pParms->fFlags & VBOX_WIN_DRIVERINSTALL_F_SILENT)
+                                    vboxWinDrvInstLogWarn(pCtx, "Silent installation was selected, but required certificates "
+                                                                "were not pre-installed into the Windows drvier store, so "
+                                                                "the installation will be rejected automatically");
+                                RT_FALL_THROUGH();
+                            }
+
+                            default:
+                                rc = vboxWinDrvInstLogLastError(pCtx, "DiInstallDriverW() failed");
+                                break;
+                        }
+                    }
                 }
 
@@ -1360 +1377 @@
                                 vboxWinDrvInstLogWarn(pCtx, "Not able to select a driver from the given INF, using given model");
                                 break;
+                            }
+
+                            case ERROR_AUTHENTICODE_TRUST_NOT_ESTABLISHED:
+                            {
+                                /* For silent installs give a clue why this might have failed. */
+                                if (pParms->fFlags & VBOX_WIN_DRIVERINSTALL_F_SILENT)
+                                    vboxWinDrvInstLogWarn(pCtx, "Silent installation was selected, but required certificates "
+                                                                "were not pre-installed into the Windows drvier store, so "
+                                                                "the installation will be rejected automatically");
+                                RT_FALL_THROUGH();
                             }