difx extension and perMachine installs

I am building an installer with a device driver, to be installed with the WiX difx extension. The driver is self-signed for testing purposes. I set my <Package> element to
<Package Description="..."
                 InstallerVersion="200"
                 InstallScope="perUser"
                 Compressed="yes"
                 InstallPrivileges="elevated" />
and everything seemed fine. However I reasoned that a device driver had better be perMachine so I changed the InstallScope to perMachine.
Now the installer fails and rolls back. Looking at the logs it is difx, returning error TRUST_E_NOSIGNATURE.
My questions:
1. Does WiX handle the case where a perUser install has a device driver (as long as InstallPrivileges is elevated)?
2. Am I correct in saying that the problem is my self-signed certificate - it's trusted by 'me' but for a perMachine install it is no longer trusted?

Thanks in advance,
Pete


     
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Did you remember to set the Legacy attribute to "yes" on your Driver
element?

See http://wix.sourceforge.net/manual-wix3/difxapp_xsd_driver.htm for more
info.  Specifically:

"Legacy YesNoType If set to "yes", configures DIFxApp to install
unsigned driver packages and driver packages with missing files"

Also see http://msdn.microsoft.com/en-us/library/ff547653(VS.85).aspx for
more info on what legacy mode is.

James

-----Original Message-----
From: Peter Hull [mailto:[hidden email]]
Sent: Monday, January 16, 2012 14:59
To: WiX Users
Subject: [WiX-users] difx extension and perMachine installs



I am building an installer with a device driver, to be installed with the
WiX difx extension. The driver is self-signed for testing purposes. I set my
<Package> element to <Package Description="..."
                 InstallerVersion="200"
                 InstallScope="perUser"
                 Compressed="yes"
                 InstallPrivileges="elevated" /> and everything seemed fine.
However I reasoned that a device driver had better be perMachine so I
changed the InstallScope to perMachine.
Now the installer fails and rolls back. Looking at the logs it is difx,
returning error TRUST_E_NOSIGNATURE.
My questions:
1. Does WiX handle the case where a perUser install has a device driver (as
long as InstallPrivileges is elevated)?
2. Am I correct in saying that the problem is my self-signed certificate -
it's trusted by 'me' but for a perMachine install it is no longer trusted?

Thanks in advance,
Pete


     
----------------------------------------------------------------------------
--
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

Thanks James, good point.
The driver will be signed for production; it just isn't at the moment. I shouldn't need the Legacy option.
I've been mulling over perUser vs. perMachine installs and my conclusion is that there's no point in a per-user install because the user would need to be an admin anyway (or be elevated) to install the driver.
So I was a bit surprised when my per-machine installer failed but I _think_ it's because of where I put my self-signed certificate (in the user store, not the machine store) - I just want to be sure that I'm not missing something and the install won't fail in the field, and you guys are the experts!
ThanksPete



----------------------------------------      
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

"The driver will be signed for production; it just isn't at the moment"

It doesn't matter what will eventually be done.  What matters is that your
driver is not currently signed.  The Legacy option / Windows can't see into
the future and know that you're eventually going to sign it.

"I shouldn't need the Legacy option"

If the driver is not signed, and you say it is not, then you need the Legacy
option.  Even if you eventually plan to sign it.  You'll just want to
remember to turn Legacy back off when you eventually do sign the driver.

James

-----Original Message-----
From: Peter Hull [mailto:[hidden email]]
Sent: Monday, January 16, 2012 22:21
To: WiX Users
Subject: Re: [WiX-users] difx extension and perMachine installs


Thanks James, good point.
The driver will be signed for production; it just isn't at the moment. I
shouldn't need the Legacy option.
I've been mulling over perUser vs. perMachine installs and my conclusion is
that there's no point in a per-user install because the user would need to
be an admin anyway (or be elevated) to install the driver.
So I was a bit surprised when my per-machine installer failed but I _think_
it's because of where I put my self-signed certificate (in the user store,
not the machine store) - I just want to be sure that I'm not missing
something and the install won't fail in the field, and you guys are the
experts!
ThanksPete



---------------------------------------- fine.
> However I reasoned that a device driver had better be perMachine so I
> changed the InstallScope to perMachine.
> Now the installer fails and rolls back. Looking at the logs it is
> difx, returning error TRUST_E_NOSIGNATURE.
> My questions:
> 1. Does WiX handle the case where a perUser install has a device
> driver (as long as InstallPrivileges is elevated)?
> 2. Am I correct in saying that the problem is my self-signed
> certificate - it's trusted by 'me' but for a perMachine install it is no
longer trusted?      
----------------------------------------------------------------------------
--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers is
just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro
Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

> If the driver is not signed, and you say it is not, then you need the Legacy
> option. I did say that; what I meant was "not signed with a certificate from a CA." It is self-signed at the moment. Apologies for the confusion.
I'd still like to hear if anyone has any comments on a per-user install which includes a device driver - is it always better to do it per-machine.
Pete
     
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

You may have signed with your self-signed certificate, and you may even have
added it to some random place in the certificate store, but your driver
isn't WHQL signed.  Please review these topics, depending on what your
operating system is:
http://msdn.microsoft.com/en-us/library/ff543654(VS.85).aspx

Specifically, they state the following regarding quiet installation (which
you are trying to do by turning off Legacy):

 * Windows Vista/7 quiet install of Authenticode-signed non-WHQL driver: "If
the certificate that was used to sign the driver package is not installed in
the user's certificate stores [Trusted Publishers I believe] before the
installation, the installation will fail."

To be precise, even if you sign your driver with Authenticode with VeriSign
/ trusted root CA, you can't install it quietly on a fresh copy of Windows
because it's not WHQL-class and your certificate isn't in Trusted
Publishers.  Only WHQL-class, Authenticode-signed drivers can be installed
quietly on a clean copy of Windows.

 * Windows XP quiet install of Authenticode-signed non-WHQL driver: "Because
of a limitation in Windows XP and Windows 2000, the DIFx tools cannot
perform a quiet installation of PnP function drivers."

Have you even tried turning on the Legacy option?  I bet you'll still get
some warnings that you have to click through when you turn Legacy on.  Just
try it and see what happens!  The thing to do is probably just turn Legacy
on for development.  Once you have your driver WHQL signed, turn it off.

Maybe you can get around this on Windows Vista by adding your self-signed
cert to both trusted root CAs and trusted publishers, I don't know.  Never
bothered to try.  The only real solution that works is something
WHQL-signed, and I believe the Authenticode signature has to come from
VeriSign.  Then you can turn Legacy off and it will work on Windows 2000 and
up.

Your original e-mail that stated you got the TRUST_E_NOSIGNATURE error makes
it pretty obvious what the problem is - you don't have a valid signature for
some reason.  Turn on Legacy mode, and the resulting prompts may give you
some clues as to what is going on.

Regarding per-user vs. per-machine: I don't really see how it's possible to
do per-user when a driver is installed.  I set my install (which includes
drivers) to be per-machine only to avoid confusion.

James

-----Original Message-----
From: Peter Hull [mailto:[hidden email]]
Sent: Tuesday, January 17, 2012 22:17
To: WiX Users
Subject: Re: [WiX-users] difx extension and perMachine installs


> If the driver is not signed, and you say it is not, then you need the
> Legacy option. I did say that; what I meant was "not signed with a
certificate from a CA." It is self-signed at the moment. Apologies for the
confusion.
I'd still like to hear if anyone has any comments on a per-user install
which includes a device driver - is it always better to do it per-machine.
Pete
     
----------------------------------------------------------------------------
--
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers is
just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro
Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users

On 17-Jan-12 17:16, Peter Hull wrote:
> I'd still like to hear if anyone has any comments on a per-user
> install which includes a device driver - is it always better to do it
> per-machine.

Drivers are per-machine resources so a per-user installer that includes
one can't offer the benefits of per-user installers (e.g., no UAC
prompt) and can only complicate things (e.g., what happens when another
user tries to install?).

--
sig://boB
http://joyofsetup.com/


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
WiX-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wix-users