From 6e4ff875fc8b575010daa21648aae725972d49f5 Mon Sep 17 00:00:00 2001 From: Wenying Dong Date: Wed, 17 Jul 2024 23:23:41 -0700 Subject: [PATCH] [Windows] Fix access denied issue in OVS cert import (#6529) An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node. To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers. Signed-off-by: Wenying Dong --- hack/windows/Install-OVS.ps1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hack/windows/Install-OVS.ps1 b/hack/windows/Install-OVS.ps1 index a648582c242..3f17c974b21 100644 --- a/hack/windows/Install-OVS.ps1 +++ b/hack/windows/Install-OVS.ps1 @@ -175,7 +175,14 @@ function CheckAndInstallOVSDriver { $ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert $Cert = (Get-AuthenticodeSignature $DriverFile).SignerCertificate [System.IO.File]::WriteAllBytes($CertificateFile, $Cert.Export($ExportType)) - Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\TrustedPublisher + # Use certstore.Add to import cert into trusted publishers instead of Import-Certificate, + # otherwise an error "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" + # may occur when `Import-Certificate` is used to import a certificate to the trusted publisher + # store for the first time on a fresh Windows 2022 Node. See issue #6530. + $CertStore = Get-Item cert:\LocalMachine\TrustedPublisher + $CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite") + $CertStore.Add($(Get-Item $CertificateFile).FullName) + $CertStore.Close() Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\Root # Install the OVSext driver with the desired version