Windows: Guest Additions installation might fail due to missing certificate
|Reported by:||w16r||Owned by:|
|Component:||guest additions||Version:||VirtualBox 6.1.28|
|Guest type:||Windows||Host type:||all|
When I tried to install the Guest Additions on a Windows Server 2022 guest that couldn’t reach the Internet, the installation failed with the following messages in the ”Oracle VM VirtualBox Guest Additions 6.1.28 Setup” window:
Installing guest driver ... Executing: "C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe" dri... Installing driver ... INF-File: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf (1) ENTER: DriverPackageInstallW (1) RETURN: DriverPackageInstallW (0xE0000247) ERROR: Adding driver to the driver store failed!! Execution returned exit code: 2 Error excuting ""C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe...
I found that the Oracle certificate that had been used to sign the Guest Additions device drivers, security catalog files, and so on, has a certification path for which the only trusted root certificate, in a new installation of Windows Server 2022, is a DigiCert Assured ID Root CA certificate signed by Microsoft. That root certificate expired on April 15, 2021, as described in this Microsoft document:
If the guest had been able to reach the Internet, I think the Automatic Root Certificates Update feature of Windows would have installed a better root certificate automatically. This guest had to remain offline, so I worked around the problem by installing an unexpired version of the DigiCert CA certificate into the Local Machine/Trusted Root Certification Authorities store, as I described in the forum:
The certificate I installed is:
After this, when I ran the Guest Additions installation again, it was successful.
For reference, I installed Windows Server 2022 from the following image, published on visualstudio.com: en-us_windows_server_version_2022_updated_october_2021_x64_dvd_b6e25591.iso
If it’s not feasible to fix this problem by signing the Guest Additions using a certificate for which a trusted, unexpired root certificate exists by default in all Windows installations, then I’d suggest including a copy of the DigiCert certificate with the Guest Additions and prompting the user to install it, if needed.
This shouldn’t be done silently, by the way: I’ve used VirtualBox to investigate other certificate-related problems like this one, and having any non-default certificate appear on its own would be unfortunate.