Re: [WiX-users] Signing the burn bootstrapper
On 24/01/2012 20:09, Paul Fazio wrote: I'm trying to get bundle signing to work and I'm having some issues. I've addedSignOutputtrue/SignOutput, as mentioned. I've also overridden SignBundleEngine and SignBundle, which appear to be working because burn.exe and my bundle do have digital signatures attached. However, when I attempt to install I get the following error: Setup failed while installing the MSIs. Unspecified error. This occurs after I receive the UAC prompt. I'm obviously doing something wrong, but I'm not sure what. Any help would be greatly appreciated. I think that error occurs if you compress packages into the installer executable but don't sign them: I found that if you sign the installer but leave the MSI files unsigned then Burn fails to extract them at runtime. -- Bruce Cran -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
On 15/05/2012 11:35, Bruce Cran wrote: I think that error occurs if you compress packages into the installer executable but don't sign them: I found that if you sign the installer but leave the MSI files unsigned then Burn fails to extract them at runtime. The problem wasn't with the packages, it was with the engine. If the engine isn't signed then Burn fails. -- Bruce Cran -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
On 24-Jan-12 15:09, Paul Fazio wrote: However, when I attempt to install I get the following error: Setup failed while installing the MSIs. Unspecified error. Where? The Burn log will have additional details, like an error code. -- sig://boB http://joyofsetup.com/ -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
From: b...@joyofsetup.com On 13-Jan-12 01:41, Peter Hull wrote: Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6 That would mean that the UAC prompt would show Microsoft as the owner of your bundle. OK, I had thought the UAC prompt would come from the 'outer' bundle executable - but I realise now why that wouldn't make sense! or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable. If that's a concern, you can replace the burn.exe in bin\x86 in your WiX drop. Yes that would be an option though doing it in the .wxs would be better I think. Thanks, Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
On 13-Jan-12 01:41, Peter Hull wrote: Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6 That would mean that the UAC prompt would show Microsoft as the owner of your bundle. or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable. If that's a concern, you can replace the burn.exe in bin\x86 in your WiX drop. -- sig://boB http://joyofsetup.com/ -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
To sign the bundle and bundle engine you need to add the following to your .wixproj: Add SignOutputtrue/SignOutput to a PropertyGroup Implement the targets like this: Target Name=SignBundleEngine SignFile TimestampUrl=... CertificateThumbprint=... SigningTarget=@(SignBundleEngine) / /Target Target Name=SignBundle SignFile TimestampUrl=... CertificateThumbprint=... SigningTarget=@(SignBundle) / /Target You need to put these _after_ the Import Project=$(WixTargetsPath) / Alternatively you can use Exec Command='signtool.exe sign ...' / for more control. There is also a SignContainers target but I don't know quite what it does. When buiding MSIs, to sign them you need to implement Target Name=SignMsi If you have external CABs then also implement Target Name=SignCabs The things you need to sign are in an itemgroup with the same name as the target (e.g. @(SignMsi)) Note that you can't use the SignFile task for this, as it will only sign exes and dlls. You have to use Exec Command=signtool sign ... / Hope that helps, Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
Hi, I haven't started using burn yet - but I'd like to - and signing will be an issue for us. At the moment, I hand an unsigned MSI over to the release manager for signing. He is the only person with access to the certificate. Can we still do this with burn? From what I've seen of this discussion so far, I must sign as part of the build process - something that will cause us a bit of an issue. Is that right? -Nick -Original Message- From: Peter Hull [mailto:peterhul...@hotmail.com] Sent: 12 January 2012 08:58 To: WiX Users Subject: Re: [WiX-users] Signing the burn bootstrapper To sign the bundle and bundle engine you need to add the following to your .wixproj: Add SignOutputtrue/SignOutput to a PropertyGroup Implement the targets like this: Target Name=SignBundleEngine SignFile TimestampUrl=... CertificateThumbprint=... SigningTarget=@(SignBundleEngine) / /Target Target Name=SignBundle SignFile TimestampUrl=... CertificateThumbprint=... SigningTarget=@(SignBundle) / /Target You need to put these _after_ the Import Project=$(WixTargetsPath) / Alternatively you can use Exec Command='signtool.exe sign ...' / for more control. There is also a SignContainers target but I don't know quite what it does. When buiding MSIs, to sign them you need to implement Target Name=SignMsi If you have external CABs then also implement Target Name=SignCabs The things you need to sign are in an itemgroup with the same name as the target (e.g. @(SignMsi)) Note that you can't use the SignFile task for this, as it will only sign exes and dlls. You have to use Exec Command=signtool sign ... / Hope that helps, Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
On 12-Jan-12 05:47, Nick Ball wrote: I haven't started using burn yet - but I'd like to - and signing will be an issue for us. At the moment, I hand an unsigned MSI over to the release manager for signing. He is the only person with access to the certificate. Can we still do this with burn? From what I've seen of this discussion so far, I must sign as part of the build process - something that will cause us a bit of an issue. Is that right? You can't just sign the final output; you have to sign the bits that make up the bundle. But you can make signing a separate project that uses WiX just to assemble the signed bits into a bundle. -- sig://boB http://joyofsetup.com/ -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
Signing only the bundle would prove that it came from your organisation and hadn't been tampered with - would that be enough? When run it would unpack the unsigned burn engine and the unsigned MSIs. Does anyone know if that would show the user a warning (or multiple warnings?) Bob: would it be possible to have the burn engine signed (by Microsoft) in the released WiX 3.6 or have an option to specify the burn engine in the .wxs file - as I understand it you currently have to sign the burn engine every time the bundle is built, even though it's the same executable. Pete -- RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
Thanks Rob, a blog post would be great! As I am not that familiar with modifying the MSBuild sequence, do I just specify something like Target Name=Signing SignTargetPath=PathToMyExe/ in my wixproj? I guess I should probably sign all my MSI's with a digital certificate using the signtool before calling that? Thanks, Sunny -- View this message in context: http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Signing-the-burn-bootstrapper-tp7174715p7178031.html Sent from the wix-users mailing list archive at Nabble.com. -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
There are like four Sign* targets in wix2010.targets. Create a target named the same for each and all of your things can be signed. It's actually really easy. On Wed, Jan 11, 2012 at 2:13 PM, sunniejai sunnie...@gmail.com wrote: Thanks Rob, a blog post would be great! As I am not that familiar with modifying the MSBuild sequence, do I just specify something like Target Name=Signing SignTargetPath=PathToMyExe/ in my wixproj? I guess I should probably sign all my MSI's with a digital certificate using the signtool before calling that? Thanks, Sunny -- View this message in context: http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Signing-the-burn-bootstrapper-tp7174715p7178031.html Sent from the wix-users mailing list archive at Nabble.com. -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- virtually, Rob Mensching - http://RobMensching.com LLC -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
Re: [WiX-users] Signing the burn bootstrapper
Easiest way: override the MSBuild SignXxx targets defined in wix2010.targets with your own targets. I really need to get the blog post up about this. sigh/ On Tue, Jan 10, 2012 at 6:50 PM, Sunny Li sunnie...@gmail.com wrote: Hi there, How do you sign the burn bootstrapper? Do you simply sign it with signtool.exe after you build the executable? When I try it with the sign tool, the UAC prompt still shows up with an unknown publisher. Also, do you need to sign all of the MSI packages that will be downloaded with the chainer as well? Thanks, -- Sunny Li -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- virtually, Rob Mensching - http://RobMensching.com LLC -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ___ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users