VirtualBox

Ticket #20628 (new defect)

Opened 3 months ago

Last modified 5 weeks ago

Windows: Guest Additions installation might fail due to missing certificate

Reported by: w16r Owned by:
Component: guest additions Version: VirtualBox 6.1.28
Keywords: Cc:
Guest type: Windows Host type: all

Description

When I tried to install the Guest Additions on a Windows Server 2022 guest that couldn’t reach the Internet, the installation failed with the following messages in the ”Oracle VM VirtualBox Guest Additions 6.1.28 Setup” window:

Installing guest driver ...
Executing: "C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe" dri...
Installing driver ...
INF-File: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf
(1) ENTER:  DriverPackageInstallW
(1) RETURN: DriverPackageInstallW  (0xE0000247)
ERROR: Adding driver to the driver store failed!!
Execution returned exit code:  2
Error excuting ""C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe...

I found that the Oracle certificate that had been used to sign the Guest Additions device drivers, security catalog files, and so on, has a certification path for which the only trusted root certificate, in a new installation of Windows Server 2022, is a DigiCert Assured ID Root CA certificate signed by Microsoft. That root certificate expired on April 15, 2021, as described in this Microsoft document:

 https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates

If the guest had been able to reach the Internet, I think the Automatic Root Certificates Update feature of Windows would have installed a better root certificate automatically. This guest had to remain offline, so I worked around the problem by installing an unexpired version of the DigiCert CA certificate into the Local Machine/Trusted Root Certification Authorities store, as I described in the forum:

 https://forums.virtualbox.org/viewtopic.php?f=1&t=104204

The certificate I installed is:

 https://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt

After this, when I ran the Guest Additions installation again, it was successful.

For reference, I installed Windows Server 2022 from the following image, published on visualstudio.com: en-us_windows_server_version_2022_updated_october_2021_x64_dvd_b6e25591.iso

If it’s not feasible to fix this problem by signing the Guest Additions using a certificate for which a trusted, unexpired root certificate exists by default in all Windows installations, then I’d suggest including a copy of the DigiCert certificate with the Guest Additions and prompting the user to install it, if needed.

This shouldn’t be done silently, by the way: I’ve used VirtualBox to investigate other certificate-related problems like this one, and having any non-default certificate appear on its own would be unfortunate.

Change History

comment:1 Changed 2 months ago by Harold Hare

I am having the same problem with Windows 8 64-bit. I tried the fix in Ticket #20628 and was able to download and install the suggested certificate but got the same error. I can install version 6.1.26 with no problem, so presumably the problem lies with the certificate.

comment:2 Changed 6 weeks ago by sorbet

Same problem with VirtualBox 6.1.30 and a Windows 7 guest on a Fedora 35 host.

comment:3 follow-up: ↓ 6 Changed 6 weeks ago by klaus

Can you try (of course after removing the manually added certificate again or with a fresh, unmodified VM) with the separately downloadable 6.1.30 guest additions,  https://download.virtualbox.org/virtualbox/6.1.30/VBoxGuestAdditions_6.1.30.iso?

It isn't quite the same as the GA iso included in the VirtualBox package (the drivers are signed differently).

Oh, and regarding the idea to include the necessary certificates: they're in the directory "cert" on the GA ISO for many years now, together with a utility which can be used to update the trusted publisher cert store. The command line needed is VBoxCertUtil.exe add-trusted-publisher vbox*.cer.

comment:4 Changed 6 weeks ago by klaus

The use of VBoxCertUtil.exe is mentioned in the manual, too, see https://www.virtualbox.org/manual/ch04.html#additions-windows-install-unattended

comment:5 Changed 6 weeks ago by w16r

Thank you for the update.

I can confirm that the Guest Additions from VBoxGuestAdditions_6.1.30.iso linked above, with driver security catalogs that were signed using the "Microsoft Windows Hardware Compatibility Publisher" certificate, can be installed as expected on a Windows Server 2022 guest that has neither Internet access nor the DigiCert certificate.

comment:6 in reply to: ↑ 3 Changed 6 weeks ago by fth0

Replying to klaus:

It isn't quite the same as the GA iso included in the VirtualBox package (the drivers are signed differently).

The GA in the VirtualBox package and the separately downloadable GA both provide the same additional certificates. For which setups do I need the additional certificates and the GA from the VirtualBox package, and for which setups do I need the additional certificates and the separately downloadable GA?

Edit: Question withdrawn. The difference between the GA variants has to do with the Microsoft attestation signing, and the additional certificates have to do with the Oracle signing. They are alternatives for different situations.

Last edited 5 weeks ago by fth0 (previous) (diff)

comment:7 Changed 5 weeks ago by dyantech

I am provisioning some Windows machines in this repository:  https://github.com/ArloL/modern-ie-vagrant

Sadly 6.1.28 and 6.1.30 both do not work. You can see screenshots of the error messages here:

 https://github.com/ArloL/modern-ie-vagrant/issues/8

The script that is used is  https://github.com/ArloL/modern-ie-vagrant/blob/main/scripts/provision.ps1#L18

Sadly using VBoxCertUtil.exe is not possible since some of the virtual machines are 32-bit.

Edit: I am using the downloaded ISO and falling back to 6.1.26 works:  https://github.com/ArloL/modern-ie-vagrant/commit/82bdaf91b4be37567467d7b75b779e4326dd489d

Last edited 5 weeks ago by dyantech (previous) (diff)
Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use