VBox 7.0.12 GA cannot verify digital signature Windows 7

[TheawesomeMCB]

So I'm having this massive issue. I'm on version Version 7.0.12 r159484 (Qt5.15.2). And for some odd reason it kept getting caught into an boot loop startup repair for windows 8/8.1 that it reported it couldn't fix after I installed the guest additions. And I'm not taking about an soft boot loop that I can go into safe mode and uninstall it. No... not even safe mode worked I had to go to the command prompt in the recovery screen, run the del command to the sys file (See screenshot) to get it booted again. I tried the refresh this PC as well... and that didn't work. The only way that it worked again was hitting the reset this PC or deleting that file. I did the 7.0.6 guest additions instead. And it booted perfectly fine. But it doesn't seem to like version 7.0.12. I managed to use the command prompt in the advanced options to pull up the log file and this is what I found.

cause of fail boot.PNG (20.54 KiB) Viewed 24490 times

Windows 7 and vista (both 64 bit) reports the disk as it can't verify the digital signature for VBoxWindowsAdditions.exe, and trying the amd64 says it installs but doesn't upgrade the guest additions from 7.0.10 (At least on windows 7 in this case, vista untested). Windows xp 64 bit reboots into black screen when reaching desktop. windows xp 32bit boots fine with the updated guest editions. So there is something going on with the guest editions.
Windows 11 and 10 boot fine with the .12
Windows 8/8.1 won't boot with the guest editions installed with .12
windows 7 64bit (And possibily 64bit vista) says broken signature and wont install it at all.

windows7error-min.PNG (122.81 KiB) Viewed 24490 times

xp 64 bit boots to black screen, and 32bit xp unaffected.

[fth0]

This is a known issue with the VirtualBox Guest Addtitions 7.0.12 (see #21875). For the time being, I'd suggest to use the VirtualBox Guest Additions 7.0.10 (see Re: Discuss the VirtualBox 7.0.12 release here and the whole thread around it for details).

[geodem]

Hello,

it is also for Virtualbox 6.1.48. I install the guest addition on Windows7 32 Bit. And the VM is destroyed. If it is a known issue, why is there nothing to read on the download page?

Thank you Oracle

[mpack]

? We don't conduct release discussions on the Downloads page. That's on an entirely different site.

[Volker S]

I have Windows 7 installed as a guest on Linux Mint. When I installed the update of Virtualbox to 7.0.12 (along with Extension_Pack-7.0.12), I started the virtual Win7. The VBoxGuestAdditions_7.0.12 was then installed there (with an error message).
After the restart I got a black screen with the error message "Windows cannot verify the digital signature for this file...". I then started Win7 in safe mode and when I rebooted, the usual Win7 interface appeared.
However, the following oddities occur: Some programmes take much longer to start and all shared drives are no longer there. When I shut down, I get the following picture:

Win7_vir_runter fahren.jpg (20.11 KiB) Viewed 24370 times

[scottgus1]

@ Volker S, please look above in this topic. It's a known problem, and workarounds are presented.

[Volker S]

I prefer to wait for a new version, since my virtual Windows starts (use working startup files for the last one). Only one programm starts slower and I don't see the error (see image above this thread) when shutting down when I exit the machine with "Save state".
I think restoring the last working startup files of Windows saved me (so that the faulty vboxguest.sys was replaced by the old driver). That's enough for me for now.

[scottgus1]

I don't see the error (see image above this thread) when shutting down when I exit the machine with "Save state".

Saved state isn't actually shutting down. It's like Windows Hibernation. And it can fail, especially if the Virtualbox version changes.

You can always restore your VM from your backups you took before you made the version change.

[Boxy]

I could be wrong, but as I now understand it, this is needed because Microsoft will no longer sign drivers in a way that is compatible with Windows 7/8/8.1.

Such a limitation already exists since a few years, and the VirtualBox developers found a workaround back then (note the "VirtualBox for legacy Windows Only Timestamp Kludge 2014" certificate that didn't exist in 2014 ).

If you're talking about a change new in 2023, please provide an information source.

Wouldn't a chan require an MS update of the guest system ?
Last updates of my Win 7:
[*]MRT: end of August
[*].NET + MRT: end of June
but VB 6.1.46 was released on 18. July and installed normal.

https://learn.microsoft.com/en-us/windo ... and-later-
last update 06/08/2022 (but states a special signing method for protected audio/video drivers, maybe this "cross-signing" depends on an expired MS certificate ?)

[Boxy]

Hello,

it is also for Virtualbox 6.1.48. I install the guest addition on Windows7 32 Bit. And the VM is destroyed. If it is a known issue, why is there nothing to read on the download page?

Thank you Oracle

I always do snapshot before upgrading guest additions - that's the real advantage of a virtual system

[ant]

Hello,

it is also for Virtualbox 6.1.48. I install the guest addition on Windows7 32 Bit. And the VM is destroyed. If it is a known issue, why is there nothing to read on the download page?

Thank you Oracle

I always do snapshot before upgrading guest additions - that's the real advantage of a virtual system

Ditto. ALso, make back up of VMs.

[fth0]

@Boxy:
The VirtualBox developers and I think that we know what the problem is:

The VirtualBox development used a new server to build VirtualBox 6.1.48 + 7.0.12, and for some (yet unclear) reason the new server didn't integrate the cross-signing certificate of the SHA-1 certificate chain (from Microsoft for VeriSign) into the VirtualBox binaries. (This cross-signing certificate already expired in 2021, but that wasn't a problem on the old build server so far.) Since the SHA-1 certificate chain can only be used on Windows 8.1 and older, the problem only surfaces in those guest OSes for the VirtualBox users.

The difficulty of finding the cause of (and a solution to) the problem is that Microsofts handling of those cross-signing certificates isn't well documented, that they're implicitly integrated when signing binaries, and that they're not kept in the "normal" Windows certificate stores, so you cannot simply circumvent the problem like in the case of missing "normal" certificates.

[Boxy]

... Since the SHA-1 certificate chain can only be used on Windows 8.1 and older, the problem only surfaces in those guest OSes for the VirtualBox users...

I'm not that deep into Windows business but there was an update at least to Windows 7
https://support.microsoft.com/en-us/top ... a4cde8e64f
"August 13, 2019 ...The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows..."
"January 28,2020 Signatures on the Certificate Trust Lists (CTLs) for the Microsoft Trusted Root Program changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required."

I found a blog at G. Born (sorry, german language): https://www.borncity.com/blog/2019/06/1 ... e-problem/
about "Windows Update" SHA-2 Code Signing Support problems as KB4472027 didn't install in Wind 7-32.

I don't know if the SHA-1 removal concerns driver signatures too - but if so, cross-signing with a MS SHA-2 certificate may be a choice (unfortunately only for Win 7 SP1 guests that installed the fixes mentioned on the MS support site above. But as I said, I'm not a specialist regarding Windows.

[fth0]

@Boxy:

Thanks for trying to help!

The information you provided is already known, and SHA-2 signatures (including a cross-signing certificate) are already in use for years. But perhaps its time to eliminate the SHA-1 signatures and force the VirtualBox users to install the Microsoft updates ...

[karabaja4]

I'm not sure if it's relevant, but Nvidia drivers have the exact same issue.

2023-10-31_23-25.png (114.2 KiB) Viewed 24009 times

Installing 474.30 (those that don't have "WHQL") or later on Windows 8.1 will result in the following in device manager:

Code: Select all

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52

or Code 52 - CM_PROB_UNSIGNED_DRIVER

There is a thread on NVidia forums about this, search Google for: "47430-driver-is-broken-missing-digital-signature" (I can't post links). (mod edit: maybe https://www.nvidia.com/en-us/geforce/fo ... signature/)

I don't think it's a coincidence that 474.11 (WHQL) work and 474.30 (non-WHQL) stopped working with the exact same issue as VirtualBox GA. There should be a common cause inside Windows.