Certificate install to local machine fails with code 26352

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate install to local machine fails with code 26352

Chris Bardon
I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:

 

<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>

 

Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?  

 

I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.  

 

Thanks!

 

Chris

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Rob Mensching-2
I doubt overwrite will help.  Can you get a log file from a failure?  That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Chris Bardon
I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Rob Mensching-2
This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine failswith code 26352

Chris Bardon
That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Chris Bardon
I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.  

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?  

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails withcode 26352

Chris Bardon
OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.  

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.  

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?  

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails withcode 26352

Rob Mensching-2
Wow, nice analysis.  Is there a bug open on this issue right now?  If not, can you open one and I'll try to get this change in Thursday night for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine failswithcode 26352

Chris Bardon
Thanks, I've opened a bug (number 2184946).  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machinefailswithcode 26352

Chris Bardon
I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?  

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machinefailswithcode 26352

Rob Mensching-2
Yes, but I didn't make the 4624 build.  If you look in CVS then you'll see the change.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 10:51
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswithcode 26352

I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Chris Bardon
I just checked the latest weekly, and it looks like the change only got
made in one place.  It looks like I still get the same cert install
error-is there a reason that it didn't change in scacert.cpp?  

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 2:01 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install tolocal
machinefailswithcode 26352

Yes, but I didn't make the 4624 build.  If you look in CVS then you'll
see the change.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 10:51
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine fails with code 26352

Rob Mensching-2
As noted in my bug comment, the other code is commented out.  I changed the only location that was actually being executed.  Ultimately, I don't think this change did anything.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, November 13, 2008 12:43
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with code 26352

I just checked the latest weekly, and it looks like the change only got
made in one place.  It looks like I still get the same cert install
error-is there a reason that it didn't change in scacert.cpp?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 2:01 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install tolocal
machinefailswithcode 26352

Yes, but I didn't make the 4624 build.  If you look in CVS then you'll
see the change.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 10:51
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer
-Right click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option
-Click OK
-Expand the Group policy node, right click on the Certificates folder,
and select All Tasks->Import
-Import your certificate into the store
-Create an installer that installs the certificate into the local
machine store using the IIS extension (e.g. <iis:Certificate
Name="CACERT" Id='CACERT' Request='no' CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>)
-Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate
MSI (s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, ,
MSI (s) (E0!38) [15:46:39:008]: Product: iceBAR -- The installer has
encountered an unexpected error installing this package. This may
indicate a problem with this package. The error code is 26352. The
arguments are: -2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine failswith code 26352

Chris Bardon
Very strange-I thought that would fix the problem.  I created a custom
action to install my certificate, and that was the only really major
change that I made.  Here's the source for my CA:

UINT __stdcall InstallCertificate(MSIHANDLE hInstall)
{
        //install a cert into the local machine store
        LPWSTR certPath=new WCHAR[MAX_PATH];
        DWORD dwSize=MAX_PATH;
        UINT rc=MsiGetProperty(hInstall,TEXT("CERTPATH"), certPath,
&dwSize );

        HCERTSTORE hCertStore;              

        //open the root CA store
        hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL,
CERT_SYSTEM_STORE_LOCAL_MACHINE , L"Root");

        DWORD dwCertSize=8192; //wix used a 64Mb buffer
        BYTE* certBuffer=new BYTE[dwCertSize];
        memset(certBuffer,0,dwCertSize);
        FILE* f=_wfopen(certPath,TEXT("r"));
        if(f==NULL)
                return ERROR_PATH_NOT_FOUND;

        CERT_BLOB blob = { 0 };


        fread(certBuffer,sizeof(BYTE),dwCertSize,f);
        blob.cbData = dwCertSize;
    blob.pbData = certBuffer;

        PCCERT_CONTEXT pNewContext = NULL;
    DWORD dwEncodingType;
    DWORD dwContentType;
        DWORD dwFormatType;

       
        CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob,
CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0,
                &dwEncodingType, &dwContentType, &dwFormatType, NULL,
NULL, (LPCVOID*)&pNewContext);
        if(pNewContext)
        {
                //install the certificate
                //strange-replace existing fails, but use existing
works.  Replace does a delete though, so perhaps that's why?
                if(!CertAddCertificateContextToStore(hCertStore,
pNewContext, CERT_STORE_ADD_USE_EXISTING, NULL))
                //if(!CertAddCertificateContextToStore(hCertStore,
pNewContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL))
                {
                        DWORD dwErr=GetLastError();
                        return dwErr;
                }
        }
        //close the store
        CertCloseStore(hCertStore, 0);
        delete certBuffer;
        delete certPath;
        return ERROR_SUCCESS;
}

And then I just run it in my installer like this:

    <InstallExecuteSequence>
      <Custom Action="InstallCertificate"
After="InstallInitialize">CERTPATH AND NOT REMOVE</Custom>
    </InstallExecuteSequence>

So far, everything seems to work, so all I really have to do is tighten
up a couple of things in the CA source.  Any idea why my code works, but
the code in iisextension doesn't?  If I change the line that installs
the cert to the one that's commented out, it gives me the same error as
the one I logged.


-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Monday, November 24, 2008 2:29 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

As noted in my bug comment, the other code is commented out.  I changed
the only location that was actually being executed.  Ultimately, I don't
think this change did anything.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, November 13, 2008 12:43
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I just checked the latest weekly, and it looks like the change only got
made in one place.  It looks like I still get the same cert install
error-is there a reason that it didn't change in scacert.cpp?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 2:01 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install tolocal
machinefailswithcode 26352

Yes, but I didn't make the 4624 build.  If you look in CVS then you'll
see the change.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 10:51
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer -Right
click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option -Click OK -Expand the Group policy node, right
click on the Certificates folder, and select All Tasks->Import -Import
your certificate into the store -Create an installer that installs the
certificate into the local machine store using the IIS extension (e.g.
<iis:Certificate Name="CACERT" Id='CACERT' Request='no'
CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>) -Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate MSI
(s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, , MSI (s) (E0!38)
[15:46:39:008]: Product: iceBAR -- The installer has encountered an
unexpected error installing this package. This may indicate a problem
with this package. The error code is 26352. The arguments are:
-2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate install to local machine failswith code 26352

Rob Mensching-2
Your CustomAction is not deferred and will fail if the installation is not elevated.  Have you tried running it deferred?  Maybe that is the problem we're having... the deferred CustomAction server isn't impersonating for us appropriately.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 25, 2008 04:38
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352

Very strange-I thought that would fix the problem.  I created a custom
action to install my certificate, and that was the only really major
change that I made.  Here's the source for my CA:

UINT __stdcall InstallCertificate(MSIHANDLE hInstall)
{
        //install a cert into the local machine store
        LPWSTR certPath=new WCHAR[MAX_PATH];
        DWORD dwSize=MAX_PATH;
        UINT rc=MsiGetProperty(hInstall,TEXT("CERTPATH"), certPath,
&dwSize );

        HCERTSTORE hCertStore;

        //open the root CA store
        hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL,
CERT_SYSTEM_STORE_LOCAL_MACHINE , L"Root");

        DWORD dwCertSize=8192; //wix used a 64Mb buffer
        BYTE* certBuffer=new BYTE[dwCertSize];
        memset(certBuffer,0,dwCertSize);
        FILE* f=_wfopen(certPath,TEXT("r"));
        if(f==NULL)
                return ERROR_PATH_NOT_FOUND;

        CERT_BLOB blob = { 0 };


        fread(certBuffer,sizeof(BYTE),dwCertSize,f);
        blob.cbData = dwCertSize;
    blob.pbData = certBuffer;

        PCCERT_CONTEXT pNewContext = NULL;
    DWORD dwEncodingType;
    DWORD dwContentType;
        DWORD dwFormatType;


        CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob,
CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0,
                &dwEncodingType, &dwContentType, &dwFormatType, NULL,
NULL, (LPCVOID*)&pNewContext);
        if(pNewContext)
        {
                //install the certificate
                //strange-replace existing fails, but use existing
works.  Replace does a delete though, so perhaps that's why?
                if(!CertAddCertificateContextToStore(hCertStore,
pNewContext, CERT_STORE_ADD_USE_EXISTING, NULL))
                //if(!CertAddCertificateContextToStore(hCertStore,
pNewContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL))
                {
                        DWORD dwErr=GetLastError();
                        return dwErr;
                }
        }
        //close the store
        CertCloseStore(hCertStore, 0);
        delete certBuffer;
        delete certPath;
        return ERROR_SUCCESS;
}

And then I just run it in my installer like this:

    <InstallExecuteSequence>
      <Custom Action="InstallCertificate"
After="InstallInitialize">CERTPATH AND NOT REMOVE</Custom>
    </InstallExecuteSequence>

So far, everything seems to work, so all I really have to do is tighten
up a couple of things in the CA source.  Any idea why my code works, but
the code in iisextension doesn't?  If I change the line that installs
the cert to the one that's commented out, it gives me the same error as
the one I logged.


-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Monday, November 24, 2008 2:29 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

As noted in my bug comment, the other code is commented out.  I changed
the only location that was actually being executed.  Ultimately, I don't
think this change did anything.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, November 13, 2008 12:43
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I just checked the latest weekly, and it looks like the change only got
made in one place.  It looks like I still get the same cert install
error-is there a reason that it didn't change in scacert.cpp?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 2:01 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install tolocal
machinefailswithcode 26352

Yes, but I didn't make the 4624 build.  If you look in CVS then you'll
see the change.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, November 04, 2008 10:51
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

I checked out the latest weekly build, and it looks like the problem is
still there.  The source for the build is also identical to what was
there before-Rob, did you change anything?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 1:13 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local
machinefailswithcode 26352

Thanks, I've opened a bug (number 2184946).

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 12:24 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine
failswithcode 26352

Wow, nice analysis.  Is there a bug open on this issue right now?  If
not, can you open one and I'll try to get this change in Thursday night
for Friday's build.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 21, 2008 07:47
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

OK, I think I understand what's going on here.  The reason a certificate
looked like it was duplicated was that the same cert existed in multiple
physical stores, which appeared as the same logical store in the mmc.
If the certificate the installer was trying to add already existed in
the Group Policy store, then the install would fail, since the user
would not have permission to delete from that store (although they can
through the MMC).  If the cert exists in any other combination of
stores, it seems to work.  Here's the steps to reproduce

-Generate a CA cert
-Open mmc, and add the certificates snapin for the local computer -Right
click the Certificates (Local Computer) node, and select
View->options
-Leave the view mode as Logical stores, and check off the Show Physical
certificate stores option -Click OK -Expand the Group policy node, right
click on the Certificates folder, and select All Tasks->Import -Import
your certificate into the store -Create an installer that installs the
certificate into the local machine store using the IIS extension (e.g.
<iis:Certificate Name="CACERT" Id='CACERT' Request='no'
CertificatePath='[CERTPATH]'
StoreLocation='localMachine' StoreName='root'/>) -Run the installer

If you do this, the installer will fail with the error code 26352.  If
you remove the cert from the group policy store manually, the installer
will run.

To fix this, you should just be able to change the calls in the IIS
extension source (scacertexec.cpp and scacert.cpp) to
CertAddCertificateContextToStore.  Instead of using
CERT_STORE_ADD_REPLACE_EXISTING, you can use
CERT_STORE_ADD_USE_EXISTING.  This updates the current cert instead of
duplicating it, and the test case detailed above should pass.  You will
notice that the certificate will be listed in both the registry and
group policy physical stores, but I don't think there's anything we can
do about that.

I haven't tried actually rebuilding the WiX source with this change
(since I don't have a build environment set up for it yet), but that's
the next step.  Anyone have any thoughts on this change?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Monday, October 20, 2008 1:53 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails
withcode 26352

I've dug a little deeper into this, written some test code to try to
debug the problem, and I've found something interesting.  The
CertAddCertificateContextToStore function is failing with Access Denied
when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which
is failing the installer.  This only appears to fail if there are two
copies of the same certificate in the store with the same serial number,
which may or may not be left there from the installer as well (that's
problem #2-problem #1 is not failing the installer in the first place).


I tried manually checking the store for duplicates and deleting them
before installing (with CertDeleteCertificateFromStore), but this
returned Access denied as well.  When I tried changing the parameter on
the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked
without returning an error.  It looks like the difference is that
replace existing tries to do a delete first, while the use existing
version updates the existing cert.

The first question is, why is the delete failing?  I have admin rights
on the machine, and if there are 0 or 1 copies of the cert in the store,
the operation works fine.  The second question is, why should the
certificate be duplicated in the first place?  I tried writing code that
used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of
the certificate.  Is it possible that a call to add a certificate with
replacement is adding a new certificate without deleting the old one?

Any experts in the crypto API here?  If not, does anyone have any
thoughts on where else I could look for answers?

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Tuesday, October 14, 2008 2:51 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machinefailswith
code 26352

That's the impression I get from the documentation as well.  Looks like
I'll have to have a closer look at that method.  I'll let you guys know
if I find anything-it seems to be a tricky bug to reproduce.  Somehow
you have to get the same cert in the store twice.

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 4:59 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine failswith
code 26352

This is the code that is failing:

    if (!::CertAddCertificateContextToStore(hStore, pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING, NULL))
    {
        MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add
certificate to the store.");
    }

Seems like it *should* replace the certificate if possible.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Thursday, October 09, 2008 13:15
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I managed to get a log for the failure-here's the relevant section:

MSI (s) (E0:BC) [15:46:35:871]: Executing op:
ActionStart(Name=RollbackAddMachineCertificate,,)
Action 15:46:35: RollbackAddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:874]: Executing op:
CustomActionSchedule(Action=RollbackAddMachineCertificate,ActionType=115
21,Source=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:BC) [15:46:35:875]: Executing op:
ActionStart(Name=AddMachineCertificate,,)
Action 15:46:35: AddMachineCertificate.
MSI (s) (E0:BC) [15:46:35:876]: Executing op:
CustomActionSchedule(Action=AddMachineCertificate,ActionType=11265,Sourc
e=BinaryData,Target=**********,CustomActionData=**********)
MSI (s) (E0:F0) [15:46:35:887]: Invoking remote custom action. DLL:
C:\Windows\Installer\MSIC98F.tmp, Entrypoint: AddMachineCertificate MSI
(s) (E0:F0) [15:46:35:887]: Generating random cookie.
MSI (s) (E0:F0) [15:46:35:901]: Created Custom Action Server with PID
4628 (0x1214).
MSI (s) (E0:64) [15:46:36:554]: Running as a service.
MSI (s) (E0:64) [15:46:36:557]: Hello, I'm your 32bit Elevated custom
action server.
AddMachineCertificate:  Adding certificate: CTTCA
AddMachineCertificate:  Error 0x80070005: Failed to add certificate to
the store.
The installer has encountered an unexpected error installing this
package. This may indicate a problem with this package. The error code
is 26352. The arguments are: -2147024891, , MSI (s) (E0!38)
[15:46:39:008]: Product: iceBAR -- The installer has encountered an
unexpected error installing this package. This may indicate a problem
with this package. The error code is 26352. The arguments are:
-2147024891, ,

AddMachineCertificate:  Error 0x80070005: Failed to install certificate.
AddMachineCertificate:  Error 0x80070005: Failed to install per-machine
certificate.

I checked the local machine store on the machine where the failure
happened, and the cert was already in the store twice (same serial
number).  I'm not sure what happened to get it there multiple times, but
I can't have my installer failing like this if the cert is already
there.

Anyone have any ideas?

-----Original Message-----
From: Rob Mensching [mailto:[hidden email]]
Sent: Friday, September 26, 2008 12:36 PM
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Certificate install to local machine fails with
code 26352

I doubt overwrite will help.  Can you get a log file from a failure?
That will go a long way to diagnosing the problem.

-----Original Message-----
From: Chris Bardon [mailto:[hidden email]]
Sent: Friday, September 26, 2008 07:22
To: General discussion for Windows Installer XML toolset.
Subject: [WiX-users] Certificate install to local machine fails with
code 26352

I've had some users complain about a problem with an installer that
attempts to add a certificate to the trusted root cert store.  I added a
component to my setup that looks like this:



<Component Id="RootCA" Guid="A1106EC4-9546-4a4f-AE6D-4F94DE066C0E"
Permanent="yes">

<Condition>CERTPATH</Condition>

      <CreateFolder/>

      <iis:Certificate Name="CTTCA" Id='CTTCA' Request='no'
CertificatePath='[CERTPATH]' StoreLocation='localMachine'
StoreName='root'/>

</Component>



Most of the time, this works fine, and the root CA cert is put in the
local machine store (so the app can form TLS connections based on the
certs our CA issues).  In some cases though, the installer will fail
with error 26352, and I've found that removing the certificate install
option lets the installer run successfully.  In all the cases where this
happens, I've noticed that the local machine and current user stores
contain multiple certificates with the same name.  I'm not sure how to
replicate this (since every time I try to add a certificate twice it
fails), but if nothing else, I'd like to be able to fail
non-catastrophically if the certificate install fails.  Is there a way
to make the certificacte component non-vital, so that if it fails to
install to the store, the rest of the application can still be
installed?



I'm going to try using the Overwrite attribute on the certificate
element to see if that helps.



Thanks!



Chris

------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge Build the coolest Linux based applications with Moblin SDK &
win great prizes Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users