[Libosinfo] [PATCH 2/3] install-config, winxp, win7: API to enable/disable driver signing

Christophe Fergeau cfergeau at redhat.com
Thu Mar 14 16:03:47 UTC 2013 

On Thu, Mar 14, 2013 at 05:46:11PM +0200, Zeeshan Ali (Khattak) wrote:
> On Thu, Mar 14, 2013 at 5:22 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> > On Thu, Mar 14, 2013 at 04:16:58AM +0200, Zeeshan Ali (Khattak) wrote:
> >> From: "Zeeshan Ali (Khattak)" <zeeshanak at gnome.org>
> >>
> >> While I thought that I had solved the problem of Windows requiring
> >> signed device drivers and QXL driver being unsigned, I could't be more
> >> wrong:
> >>
> >> * The registry key magic I used for disabling driver signature checks
> >>   on XP seems to be far from reliable. I tested it many many times but
> >>   on a weird broken version of XP home edition that I can't seem to
> >>   have access to anymore. I now tested against both home and professional
> >>   editions both with and without this registry key magic and I observed
> >>   the same result in both cases: Drivers do get installed but they remain
> >>   unused by the OS after installation. The only reliable way of
> >>   effectively disabling signture checks during installation is through
> >>   the 'DriverSigningPolicy' option in .sif file, which means disabling
> >>   signature checks permanently.
> >> * On Windows 7, disabling integrity checks and test signing after
> >>   drivers' installation disables the already installed drivers too if
> >>   they are not signed.
> >> * The reason I thought QXL was functional at first was that automatic
> >>   resolution setting was working. Turns out that unlike on Linux, on
> >>   windows automatic resolution setting only requires spice-vdagent where
> >>   as QXL is only required for arbitrary resolutions.
> >>
> >> So to make QXL working out of the box, I'm afraid we don't have any
> >> choice but to disable driver signature checks permanently. Since
> >> signature checks is a security measure from vendors, we need to leave
> >> it to applications to decide whether they want to do this or not.
> >
> > As whether driver signing is enabled or not is stored in the entity
> > property OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, I'm under the
> > impression that if the user does not call _set_signing(), we will
> > default to disabling signing (the property is not set, so
> > we get FALSE when trying to read it, so signing is disabled).
> 
> If app does not call the setter explicitly, the
> OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING entity parameter is never
> set so when generating the script from the config,
> "config/driver-signing" in XSL evaluates to empty string.

Ah right, thanks for clarifying this.

> >> + */
> >> +void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
> >> +                                              gboolean signing)
> >> +{
> >> +    osinfo_entity_set_param_boolean(OSINFO_ENTITY(config),
> >> +                                    OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
> >> +                                    signing);
> >> +}
> >> +
> >
> > Why no API doc for get_driver_signing?
> 
> In case of simple getter/setter that will generally have more of less
> the same to say in the docs, I skip it for one (depending on which
> will be most used) but if you want I can add something.

It feels weird to have doc for only one of the methods, you can have
something like 'Indicates whether signing is currently enabled or not, see
osinfo_install_config_set_driver_signing() for more details about signing".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libosinfo/attachments/20130314/a76d273a/attachment.sig>

More information about the Libosinfo mailing list