[Windows] Fix access denied issue in OVS cert import (#6529)

An "Access is denied" error is possibly returned when importing certificate into the trusted publishers store at the first time on a fresh Windows 2022 Node. To resolve the issue, this change uses the "Add" method provided by certificate stre as an alternative when importing to trusted publishers. Signed-off-by: Wenying Dong <[email protected]>
antrea-io · Jul 18, 2024 · 6e4ff87 · 6e4ff87
1 parent 5cee770
commit 6e4ff87
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/hack/windows/Install-OVS.ps1 b/hack/windows/Install-OVS.ps1
@@ -175,7 +175,14 @@ function CheckAndInstallOVSDriver {
     $ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
     $Cert = (Get-AuthenticodeSignature $DriverFile).SignerCertificate
     [System.IO.File]::WriteAllBytes($CertificateFile, $Cert.Export($ExportType))
-    Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\TrustedPublisher
+    # Use certstore.Add to import cert into trusted publishers instead of Import-Certificate,
+    # otherwise an error "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
+    # may occur when `Import-Certificate` is used to import a certificate to the trusted publisher
+    # store for the first time on a fresh Windows 2022 Node. See issue #6530.
+    $CertStore = Get-Item cert:\LocalMachine\TrustedPublisher
+    $CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
+    $CertStore.Add($(Get-Item $CertificateFile).FullName)
+    $CertStore.Close()
     Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\Root
 
     # Install the OVSext driver with the desired version