My OS: Windows 7 sp1 64 bit

Although the downloadable qxl driver binary[1] is signed with a Red Hat cert rooted at verisign, it will still not load unless test mode is turned on[2].

Much reading, pursuit of false trails, brain fry and general gnashing of teeth has led me to believe that this could be fixed by cross signing with the microsoft-verisign cross certificate downloadable from the bottom of this page:

http://msdn.microsoft.com/en-us/windows/hardware/gg487315

A walk through on driver signing from microsoft:

http://msdn.microsoft.com/en-us/windows/hardware/gg487328

describes how to do this, but it boils down to:

Sign it something like this:

signtool sign /v /ac MSCV-VSClass3.cer /f redhat.cer /t http://timestamp.verisign.com/scripts/timestamp.dll qxl.cat qxl.sys qxldd.dll

where MSCV-VSClass3.cer is the dowloaded cross certificate and /f redhat.cer assumes the redhat signing certificate normally used to sign the drivers is in a file called redhat.cer.

It's the /ac MSCV-VSClass3.cer bit that's different from what's being done now.

You can verify that this worked by doing this:

signtool verify /kp /v /c qxl.cat qxl.sys

which will show the certificate chain and verify that it is now rooted in a Microsoft cert.

Unfortunately I've not been able to test the signing and verification because I would need access to the Red Hat signing certificate (with private key) to do so. 

[1] tested with:
http://www.spice-space.org/download/binaries/qxl-0.10-20112808.zip
http://www.spice-space.org/download/binaries/qxl-win-0.1010-20110308-d9eb3203bd.zip

[2] as described in http://spice-space.org/page/WinQXL