v6.1.37 Test Build 152627 - Fails to Install

[Jacob Klein]

The instructions on the test build page are now updated. Sorry that it took so long... Hope it is clear enough.

Thanks! My only additional request might be to consider explaining why we need to do the additional step. From a security standpoint, performing the step sounds risky if we're not fully aware of what it is doing. If that makes sense. Consider it.

I'll be sure to test the additional step in the next TestBuild. Thank you for adding some instructions.

[klaus]

It's pretty difficult to explain (especially without doubling the size of the test build page) what the additional timestamping CA is achieving in detail. Code signing is a very complicated subject unfortunately. Let me try a quick high level outline:

The timestamping CA is used to create 'custom' SHA-1 signatures for the VirtualBox drivers. Note that there is always an additional SHA-256 signature on the drivers which is done in the usual way (using a cert issued by the DigiCert CA which is Oracle's certificate supplier).

For normal VirtualBox releases we're passing our drivers to Microsoft for "attestation signing", which means that they're considered trusted by Windows 10 and later due to bearing a Microsoft signature. This is a time consuming process which we've been skipping for test builds, and that means Windows 10 and later would refuse to install the VirtualBox drivers from a test build, unless trust is established by having a signature which relies on the old Microsoft cross-certificate mechanism.

[Jacob Klein]

Perhaps it could say something like:
"Test builds require the timestamping CA as a trust authority, because Windows requires a trust authority for the drivers, and test builds are released without waiting on attestation signing by Microsoft."