VirtualBox

Ignore:
Timestamp:
Jul 18, 2022 9:49:58 AM (2 years ago)
Author:
vboxsync
Message:

Installer/win/VBoxStub: Install the legacy windows timestamp CA if used by the build and needed by the installation target. bugref:8691

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/Installer/win/Stub/VBoxStub.cpp

    r95696 r95699  
    805805}
    806806
    807 
    808807#ifdef VBOX_WITH_CODE_SIGNING
     808
     809# ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
     810/**
     811 * Install the timestamp CA currently needed to support legacy Windows versions.
     812 *
     813 * See @bugref{8691} for details.
     814 *
     815 * @returns Fully complained exit code.
     816 */
     817static RTEXITCODE InstallTimestampCA(bool fForce)
     818{
     819    /*
     820     * Windows 10 desktop should be fine with attestation signed drivers, however
     821     * the driver guard (DG) may alter that.  Not sure yet how to detect, but
     822     * OTOH 1809 and later won't accept the SHA-1 stuff regardless, so out of
     823     * options there.
     824     *
     825     * The Windows 2016 server and later is not fine with attestation signed
     826     * drivers, so we need to do the legacy trick there.
     827     */
     828    if (   !fForce
     829        && RTSystemGetNtVersion() >= RTSYSTEM_MAKE_NT_VERSION(10, 0, 0)
     830        && RTSystemGetNtProductType() == VER_NT_WORKSTATION)
     831        return RTEXITCODE_SUCCESS;
     832
     833    if (!addCertToStore(CERT_SYSTEM_STORE_LOCAL_MACHINE, "Root", g_abVBoxLegacyWinCA, sizeof(g_abVBoxLegacyWinCA)))
     834        return ShowError("Failed add the legacy Windows timestamp CA to the root certificate store.");
     835    return RTEXITCODE_SUCCESS;
     836}
     837# endif  /* VBOX_WITH_VBOX_LEGACY_TS_CA*/
     838
    809839/**
    810840 * Install the public certificate into TrustedPublishers so the installer won't
     
    821851                            g_aVBoxStubTrustedCerts[i].pab,
    822852                            g_aVBoxStubTrustedCerts[i].cb))
    823             return ShowError("Failed to construct install certificate.");
    824     }
    825 
    826 # ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
    827     if (   RTSystemGetNtVersion() < RTSYSTEM_MAKE_NT_VERSION(10, 0, 0)
    828         || false /** @todo windows server 2016 and later */ )
    829     {
    830         if (!addCertToStore(CERT_SYSTEM_STORE_LOCAL_MACHINE, "Root", g_abVBoxLegacyWinCA, sizeof(g_abVBoxLegacyWinCA)))
    831             return ShowError("Failed to construct install certificate.");
    832     }
    833 # endif
     853            return ShowError("Failed to add our certificate(s) to trusted publisher store.");
     854    }
    834855    return RTEXITCODE_SUCCESS;
    835856}
     857
    836858#endif /* VBOX_WITH_CODE_SIGNING */
    837 
    838859
    839860/**
     
    10511072#ifdef VBOX_WITH_CODE_SIGNING
    10521073    bool fEnableSilentCert         = true;
     1074    bool fInstallTimestampCA       = true;
     1075    bool fForceTimestampCaInstall  = false;
    10531076#endif
    10541077    bool fIgnoreReboot             = false;
     
    10781101        { "-no-silent-cert",    'c',                         RTGETOPT_REQ_NOTHING },
    10791102        { "/no-silent-cert",    'c',                         RTGETOPT_REQ_NOTHING },
     1103        { "--no-install-timestamp-ca", 't',                  RTGETOPT_REQ_NOTHING },
     1104        { "--force-install-timestamp-ca", 'T',               RTGETOPT_REQ_NOTHING },
    10801105#endif
    10811106        { "--logging",          'l',                         RTGETOPT_REQ_NOTHING },
     
    11381163                fEnableSilentCert = false;
    11391164                break;
     1165            case 't':
     1166                fInstallTimestampCA = false;
     1167                break;
     1168            case 'T':
     1169                fForceTimestampCaInstall = fInstallTimestampCA = true;
     1170                break;
    11401171#endif
    11411172            case 'l':
     
    12271258                         "    Adds <prop>=<value> to the MSI parameters,\n"
    12281259                         "    quoting the property value if necessary\n"
     1260#ifdef VBOX_WITH_CODE_SIGNING
    12291261                         "--no-silent-cert\n"
    12301262                         "    Do not install VirtualBox Certificate automatically\n"
    12311263                         "    when --silent option is specified\n"
     1264#endif
     1265#ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
     1266                         "--force-install-timestamp-ca\n"
     1267                         "    Install the timestamp CA needed for supporting\n"
     1268                         "    legacy Windows versions regardless of the version or\n"
     1269                         "    type of Windows VirtualBox is being installed on.\n"
     1270                         "    Default: All except Windows 10 & 11 desktop\n"
     1271                         "--no-install-timestamp-ca\n"
     1272                         "    Do not install the above mentioned timestamp CA.\n"
     1273#endif
    12321274                         "--path\n"
    12331275                         "    Sets the path of the extraction directory\n"
     
    14021444                    rcExit = CopyCustomDir(szExtractPath);
    14031445#ifdef VBOX_WITH_CODE_SIGNING
     1446# ifdef VBOX_WITH_VBOX_LEGACY_TS_CA
     1447                    if (rcExit == RTEXITCODE_SUCCESS && fInstallTimestampCA)
     1448                        rcExit = InstallTimestampCA(fForceTimestampCaInstall);
     1449# endif
    14041450                    if (rcExit == RTEXITCODE_SUCCESS && fEnableSilentCert && g_fSilent)
    14051451                        rcExit = InstallCertificates();
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette