Comment 1 Stefan Gohmann 2012-11-29 12:37:15 CET

Prüfung zu UCS 3.2.

Comment 2 Janis Meybohm 2013-09-06 12:13:23 CEST

Wir haben mittlerweile ein zweites Codesigning Zertifikat von VeriSign das wir für die Signierung des UEFI Bootloaders benötigen. Ich würde daher darum bitten zu prüfen ob wir das auch für die GPLPV Treiber verwenden können (dann müssen wir nicht beide bezahlen ...).
Zertifikat, Chain und Key liegen unter:
/home/groups/77_entwicklung/89_ssl-zertifikate/symantec_codesigning

Comment 3 Philipp Hahn 2013-09-16 15:50:51 CEST

GPLPV-0.11.0-372 was imported and built and copied to svn:
r44085 | Bug #29456: xen-gplpv: Update packaging
r44084 | Bug #29456: xen-gplpv: Build 372
r44083 | Bug #29456: xen-gplpv: Update to 0.11.0.372
r44082 | Bug #29456: xen-gplpv: Update packaging

univention-xen-gplpv_11.0.372-1.8.201309161525
The GPLPV drivers were updated to version 0.11.0-372


Installation on Windows7_x64 was successful expect the shutdown monitor; see
<https://forge.univention.org/bugzilla/show_bug.cgi?id=21397#c13>; if run manually, it works.

Installation on WindowsXP did lock up during "Xen Block Device Driver" installation on the first try, but succeeded on the second try: Reason unknown.


(Xen-VMs for WindowsXP and Windows7 are available on xen5 before GPLPV drivers were installed; see LVM-snapshots /dev/vg_ucs/w*-sp3)

(In reply to Janis Meybohm from comment #2)
> Wir haben mittlerweile ein zweites Codesigning Zertifikat von VeriSign das
> wir für die Signierung des UEFI Bootloaders benötigen. Ich würde daher darum
> bitten zu prüfen ob wir das auch für die GPLPV Treiber verwenden können
> (dann müssen wir nicht beide bezahlen ...).
> Zertifikat, Chain und Key liegen unter:
> /home/groups/77_entwicklung/89_ssl-zertifikate/symantec_codesigning

Switched from GlobalSign to VeriSign certificate. Build-Instructions on <https://hutten.knut.univention.de/mediawiki/index.php/WindowsGPLPVBuild> were updated accordingly.

$ openssl x509 -noout -issuer -enddate -in Univention_CodeSigning_Certificate.pem
issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CodeSigning CA - G2
notAfter=Aug 31 09:06:45 2014 GMT

$ openssl x509 -noout -issuer -enddate -in Univention_Class_3_Code_Signing_2010.pem 
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
notAfter=Sep  6 23:59:59 2014 GMT

Der CA can be selected from UCS by running 
  cd virtualization/univention-xen-gplpv && make -C cert install CA=VeriSign
which copies the PKCS12 (univention.p12), DER (univention.der) and CrossCert (crosscert.pem) files to ../win-pvdrivers/. After that the PKCS12 password must be manually put into ../win-pvdrivers/sign_config.bat.


At least Windows XP does not recognize the CA hierarchy completely. This is probably caused by VeriSign switching to a new 2K RSA key in 2008(?), but XP only recognizes the old 1K RSA key. As far as I know that issues is not new, so I did not fix it for the new version. Read <http://www.64k-tec.de/2011/02/kernel-driver-code-signing-with-the-verisign-class-3-primary-ca-g5-certificate/> for some more information.

Comment 4 Felix Botner 2013-09-25 15:53:21 CEST

OK - tested with

 * winxp x86
 * win7 x86
 * win8 x64
 * w2k8r2 x64
 * w2k12 x64

Comment 5 Stefan Gohmann 2013-11-19 06:41:31 CET

UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".