VirtualBox

Changes between Initial Version and Version 1 of Ticket #19743, comment 7


Ignore:
Timestamp:
Sep 21, 2020 5:11:12 PM (4 years ago)
Author:
theRman

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #19743, comment 7

    initial v1  
    88> Pretty quirky setup, in my entirely personal opinion, to have not a single valid signature which is from the entity responsible for the code. Sure, Microsoft only adds their signature there if they get the whole batch of driver files in an CAB file which is EV signed by the submitter, but it's still a little strange that the end user can't see any valid signature from Nvidia.
    99
    10 Its may interesting to note that in certain older NVidia driver releases (e.g. 445.87), the offending files was signed with a cert where the entire chain was valid at the time of singing - in 2020. But this "NVIDIA Corporation-PE-Prod-Sha1" expired in June 2020. For Nvidia now to use an even older one, instead of newer one seems like some human error when updating the signing certificate.
     10It maybe interesting to note, that in certain older NVidia driver releases (e.g. 445.87), the offending file was signed with a cert, where the entire chain was valid at the time of singing - in 2020. But this particular "NVIDIA Corporation-PE-Prod-Sha1" expired in June 2020. For Nvidia now to use an even older one, instead of newer one, seems like some human error when updating the signing certificate.
    1111
    1212But all this is besides the point.
    1313What we have is one cert chain (Nvidia one) that is untrusted for various reasons (also because SHA1 signing is deprecated after all).
    1414And we have another chain that is fully valid and has known & valid intermediate and root CA (Microsoft).
    15 The driver dll must be accepted as valid if any chain can be fully validated. I do not see how this is any kind of "gray zone". Also it should be noted that Windows own driver loading mechanism sees this driver as valid when signed this way. Thus IMHO VirtualBox must handle it in the same manor.
     15The driver dll must be accepted as valid if any chain can be fully validated. I do not see how this is any kind of "gray zone". Also it should be noted that Windows own driver loading mechanism sees this driver as valid when signed this way. Also if it would be a Microsoft created driver (as they do for AHCI for example), it would have no Nvidia signature at all.
     16Thus IMHO VirtualBox must handle it in the same manor as Windows and check all cert cains.

© 2023 Oracle
ContactPrivacy policyTerms of Use