Changes between Initial Version and Version 1 of Ticket #19743, comment 7
- Timestamp:
- Sep 21, 2020 5:11:12 PM (4 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #19743, comment 7
initial v1 8 8 > Pretty quirky setup, in my entirely personal opinion, to have not a single valid signature which is from the entity responsible for the code. Sure, Microsoft only adds their signature there if they get the whole batch of driver files in an CAB file which is EV signed by the submitter, but it's still a little strange that the end user can't see any valid signature from Nvidia. 9 9 10 It s may interesting to note that in certain older NVidia driver releases (e.g. 445.87), the offending files was signed with a cert where the entire chain was valid at the time of singing - in 2020. But this "NVIDIA Corporation-PE-Prod-Sha1" expired in June 2020. For Nvidia now to use an even older one, instead of newer oneseems like some human error when updating the signing certificate.10 It maybe interesting to note, that in certain older NVidia driver releases (e.g. 445.87), the offending file was signed with a cert, where the entire chain was valid at the time of singing - in 2020. But this particular "NVIDIA Corporation-PE-Prod-Sha1" expired in June 2020. For Nvidia now to use an even older one, instead of newer one, seems like some human error when updating the signing certificate. 11 11 12 12 But all this is besides the point. 13 13 What we have is one cert chain (Nvidia one) that is untrusted for various reasons (also because SHA1 signing is deprecated after all). 14 14 And we have another chain that is fully valid and has known & valid intermediate and root CA (Microsoft). 15 The driver dll must be accepted as valid if any chain can be fully validated. I do not see how this is any kind of "gray zone". Also it should be noted that Windows own driver loading mechanism sees this driver as valid when signed this way. Thus IMHO VirtualBox must handle it in the same manor. 15 The driver dll must be accepted as valid if any chain can be fully validated. I do not see how this is any kind of "gray zone". Also it should be noted that Windows own driver loading mechanism sees this driver as valid when signed this way. Also if it would be a Microsoft created driver (as they do for AHCI for example), it would have no Nvidia signature at all. 16 Thus IMHO VirtualBox must handle it in the same manor as Windows and check all cert cains.