Signing the burn bootstrapper

Hi there,

How do you sign the burn bootstrapper? Do you simply sign it with
signtool.exe after you build the executable? When I try it with the sign
tool, the UAC prompt still shows up with an "unknown publisher".

Also, do you need to sign all of the MSI packages that will be downloaded
with the chainer as well?

Thanks,

--
Sunny Li
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Easiest way: override the MSBuild "SignXxx" targets defined in
wix2010.targets with your own targets.

I really need to get the blog post up about this. <sigh/>

On Tue, Jan 10, 2012 at 6:50 PM, Sunny Li <[hidden email]> wrote:



--
virtually, Rob Mensching - http://RobMensching.com LLC
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Thanks Rob, a blog post would be great!

As I am not that familiar with modifying the MSBuild sequence, do I just specify something like <Target Name="Signing" SignTargetPath="PathToMyExe"/> in my wixproj?

I guess I should probably sign all my MSI's with a digital certificate using the signtool before calling that?

Thanks,
Sunny

There are like four Sign* targets in wix2010.targets. Create a target named
the same for each and all of your things can be signed. It's actually
really easy.

On Wed, Jan 11, 2012 at 2:13 PM, sunniejai <[hidden email]> wrote:



--
virtually, Rob Mensching - http://RobMensching.com LLC
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

To sign the bundle and bundle engine you need to add the following to your .wixproj:
Add <SignOutput>true</SignOutput> to a PropertyGroup
Implement the targets like this:
    <Target Name="SignBundleEngine">
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundleEngine)" />
    </Target>
    <Target Name="SignBundle" >
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundle)" />
    </Target>
You need to put these _after_ the <Import Project="$(WixTargetsPath)" />

Alternatively you can use <Exec Command='signtool.exe sign ..."' /> for more control.

There is also a <SignContainers> target but I don't know quite what it does.

When buiding MSIs, to sign them you need to implement <Target Name="SignMsi">

If you have external CABs then also implement <Target Name="SignCabs">

The things you need to sign are in an itemgroup with the same name as the target (e.g. @(SignMsi))

Note that you can't use the SignFile task for this, as it will only sign exes and dlls. You have to use <Exec Command="signtool sign ..." />

Hope that helps,

Pete



     
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Hi,

I haven't started using burn yet - but I'd like to - and signing will be an issue for us. At the moment, I hand an unsigned MSI over to the release manager for signing. He is the only person with access to the certificate. Can we still do this with burn? From what I've seen of this discussion so far, I must sign as part of the build process - something that will cause us a bit of an issue. Is that right?

-Nick

-----Original Message-----
From: Peter Hull [mailto:[hidden email]]
Sent: 12 January 2012 08:58
To: WiX Users
Subject: Re: [WiX-users] Signing the burn bootstrapper


To sign the bundle and bundle engine you need to add the following to your .wixproj:
Add <SignOutput>true</SignOutput> to a PropertyGroup Implement the targets like this:
    <Target Name="SignBundleEngine">
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundleEngine)" />
    </Target>
    <Target Name="SignBundle" >
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundle)" />
    </Target>
You need to put these _after_ the <Import Project="$(WixTargetsPath)" />

Alternatively you can use <Exec Command='signtool.exe sign ..."' /> for more control.

There is also a <SignContainers> target but I don't know quite what it does.

When buiding MSIs, to sign them you need to implement <Target Name="SignMsi">

If you have external CABs then also implement <Target Name="SignCabs">

The things you need to sign are in an itemgroup with the same name as the target (e.g. @(SignMsi))

Note that you can't use the SignFile task for this, as it will only sign exes and dlls. You have to use <Exec Command="signtool sign ..." />

Hope that helps,

Pete



     


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

On 12-Jan-12 05:47, Nick Ball wrote:
> I haven't started using burn yet - but I'd like to - and signing will be an issue for us. At the moment, I hand an unsigned MSI over to the release manager for signing. He is the only person with access to the certificate. Can we still do this with burn? From what I've seen of this discussion so far, I must sign as part of the build process - something that will cause us a bit of an issue. Is that right?

You can't just sign the final output; you have to sign the bits that
make up the bundle. But you can make signing a separate project that
uses WiX just to assemble the signed bits into a bundle.

--
sig://boB
http://joyofsetup.com/


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Signing only the bundle would prove that it came from your organisation and hadn't been tampered with - would that be enough?
When run it would unpack the unsigned burn engine and the unsigned MSIs. Does anyone know if that would show the user a warning (or multiple warnings?)

Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6 or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable.
Pete
     
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Hey Bob! It's been a while! I hope all is well with you. It's funny, I'm dealing with this very issue right now. We are using WiX 3.6.2408.0 and are having problems installing signed content from a signed bundle. Unsigned bundles work ok, however. Someone mentioned that burn.exe and all the .dlls need to be signed to ship a signed bundle, so I tried that and I was unable to sign the resulting bundle (timestamp failed error). I am obviously doing something wrong, but I'm not sure what. Any advice you can give would be greatly appreciated!

Thanks!

On 13-Jan-12 01:41, Peter Hull wrote:
> Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6
That would mean that the UAC prompt would show Microsoft as the owner of
your bundle.

> or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable.
If that's a concern, you can replace the burn.exe in bin\x86 in your WiX
drop.

--
sig://boB
http://joyofsetup.com/


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

> From: [hidden email]

> On 13-Jan-12 01:41, Peter Hull wrote:
> > Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6
> That would mean that the UAC prompt would show Microsoft as the owner of
> your bundle.
OK, I had thought the UAC prompt would come from the 'outer' bundle executable - but I realise now why that wouldn't make sense!

> > or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable.
> If that's a concern, you can replace the burn.exe in bin\x86 in your WiX
> drop.
Yes that would be an option though doing it in the .wxs would be better I think.

Thanks,

Pete

     
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Peter Hull wrote

To sign the bundle and bundle engine you need to add the following to your .wixproj:
Add <SignOutput>true</SignOutput> to a PropertyGroup
Implement the targets like this:
    <Target Name="SignBundleEngine">
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundleEngine)" />
    </Target>
    <Target Name="SignBundle" >
        <SignFile TimestampUrl="..." CertificateThumbprint="..." SigningTarget="@(SignBundle)" />
    </Target>
You need to put these _after_ the <Import Project="$(WixTargetsPath)" />

Alternatively you can use <Exec Command='signtool.exe sign ..."' /> for more control.

I'm trying to get bundle signing to work and I'm having some issues. I've added <SignOutput>true</SignOutput>, as mentioned. I've also overridden SignBundleEngine and SignBundle, which appear to be working because burn.exe and my bundle do have digital signatures attached. However, when I attempt to install I get the following error: "Setup failed while installing the MSIs. Unspecified error". This occurs after I receive the UAC prompt.

I'm obviously doing something wrong, but I'm not sure what. Any help would be greatly appreciated.

Paul

On 24-Jan-12 15:09, Paul Fazio wrote:
> However, when I attempt to install I get the following error: "Setup
> failed while installing the MSIs. Unspecified error".

Where? The Burn log will have additional details, like an error code.

--
sig://boB
http://joyofsetup.com/


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

On 24/01/2012 20:09, Paul Fazio wrote:
> I'm trying to get bundle signing to work and I'm having some issues. I've
> added<SignOutput>true</SignOutput>, as mentioned. I've also overridden
> SignBundleEngine and SignBundle, which appear to be working because burn.exe
> and my bundle do have digital signatures attached. However, when I attempt
> to install I get the following error: "Setup failed while installing the
> MSIs. Unspecified error". This occurs after I receive the UAC prompt.
>
> I'm obviously doing something wrong, but I'm not sure what. Any help would
> be greatly appreciated.

I think that error occurs if you compress packages into the installer
executable but don't sign them: I found that if you sign the installer
but leave the MSI files unsigned then Burn fails to extract them at runtime.

--
Bruce Cran

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

On 15/05/2012 11:35, Bruce Cran wrote:
> I think that error occurs if you compress packages into the installer
> executable but don't sign them: I found that if you sign the installer
> but leave the MSI files unsigned then Burn fails to extract them at
> runtime.

The problem wasn't with the packages, it was with the engine.  If the
engine isn't signed then Burn fails.

--
Bruce Cran

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users