-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Windows] Fix access denied issue in OVS cert import #6529
Conversation
/test-windows-all |
2af0434
to
e8e90db
Compare
# performed on a fresh Windows 2022 Node. | ||
$CertStore = Get-Item cert:\LocalMachine\TrustedPublisher | ||
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite") | ||
$CertStore.Add($(Get-Item $CertificateFile).FullName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Import the certificate from the file into an X509Certificate2 object and then adds that object to the store !
$CertStore.Add($(Get-Item $CertificateFile).FullName) | |
# Load the certificate from the file into an X509Certificate2 object | |
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 | |
$certificate.Import($certificateFilePath) | |
# Add the certificate to the store | |
$certStore.Add($certificate) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rajnkamr , I have verified that my solution does work. I don't think it is necessary to explicitly create a new object for the certificate, instead, when we use a file path to add into the cert store, Windows OS would load the cert automatically. My current solution (using a file path as parameter) is supported by Windows.
/test-windows-all |
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a nit about the comment.
hack/windows/Install-OVS.ps1
Outdated
# (issue #6530) is possibly hit when the import-certificate to trusted publisher store is firstly | ||
# performed on a fresh Windows 2022 Node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# (issue #6530) is possibly hit when the import-certificate to trusted publisher store is firstly | |
# performed on a fresh Windows 2022 Node. | |
# may occur when `Import-Certificate` is used to import a certificate to the trusted publisher | |
# store for the first time on a fresh Windows 2022 Node. See issue #6530. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
Does this need to be backported? |
I don't think so, the changes to import cert into both trusted store and root store for all versions (including both signed and unsigned cert) is introduced in this version (v2.1), and the "Access is denied" is seen on Windows Server 2022 which is firstly supported in v2.1 too. So it shall be OK to keep the change in this version. |
An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node. To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers. Signed-off-by: Wenying Dong <wenyingd@vmware.com>
e8e90db
to
1ecdba0
Compare
/test-windows-all |
Got it, then I will remove |
All windows tests are passed in our CI testbed (I tried 3 rounds of test, and all passed), and the change is also verified on a setup with fresh Windows 2022 Nodes. Can we move it forward? @tnqn |
An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node.
To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers.
Fix: #6530