Re: [WiX-devs] Group Policy not taken into account when installing certificate

Fri, 04 Jul 2014 09:37:25 -0700 

The error is telling you. Perhaps we should return a better one, but we 
shouldn't get into the business of validating too much implementation-specific 
details. There's probably other things that affect certs, so where would it end?

Sent from my Windows Phone
________________________________
From: Wesley Manning<mailto:wmann...@dynagen.ca>
Sent: ‎7/‎4/‎2014 6:06 AM
To: 'WiX toolset developer mailing list'<mailto:wix-devs@lists.sourceforge.net>
Subject: Re: [WiX-devs] Group Policy not taken into account when installing 
certificate

I have a standalone MSI that installs the certificate and in burn I set 
vital=no so if it fails burn continues on.  Do you do the same thing?

-----Original Message-----
From: ACKH [mailto:forforumh...@hotmail.com]
Sent: July-04-14 7:30 AM
To: wix-devs@lists.sourceforge.net
Subject: [WiX-devs] Group Policy not taken into account when installing 
certificate

Hi all

Recently I needed to install a certificate into the machine wide Trusted 
Publisher store of Windows. Basically I was forced to do so because I need to 
install a driver signed with that certificate. If this certificate is not 
installed to the Trusted Publisher store prior to installing the driver itself, 
Windows will display a prompt dialog asking whether to install the driver or 
not. This prompt is not shown if the certificate is present in the Trusted 
Publisher store at the beginning of the driver installation.

Now of course one can argue that this is not the way it is supposed to be done 
and I would even partially agree. However, without doing this the installation 
experience is affected because I install multiple msi using a bootstrapper. In 
the middle of the installation that prompt dialog will appear. But let us leave 
aside if this should be done at all for a moment because the issue does not 
really have to do with this.

In order to install that certificate I use "iis:Certificate" with the attribute 
StoreName="trustedPublisher". This works well. However, as it turns there is a 
group policy called "Certificate Path Validation Settings"
which can prevent users and administrators from installing certificates into 
the Trusted Publishers store. The group policy is available here:

gpedit.msc -> “Local Computer Policy” -> “Computer Configuration” -> “Windows 
Settings” -> “Security Settings” -> “Public Key Policies” -> “Certificate Path 
Validation Settings”

If the computer is part of a domain it is possible to activate the option 
"Allow only enterprise administrators to manage Trusted Publishers" in the 
"Trusted Publishers" tab of that policy. If the policy is active and the 
installer attempts to install the certificate the installation will fail since 
only enterprise administrators are allowed to install certificates.

The error that I'm getting in such a case is as follows:

The installer has encountered an unexpected error installing this package.
This may indicate a problem with this package. The error code is 26352. The 
arguments are: -2147024891, ,
AddMachineCertificate:  Error 0x80070005: Failed to install certificate.

Actually the error itself absolutely makes sense. However, it would be useful 
if iis:Certificate could handle such a case, i.e. it would be necessary to 
detect if the group policy is active.

What are your thoughts to this?

Regards

ACKH



--
View this message in context: 
http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Group-Policy-not-taken-into-account-when-installing-certificate-tp7595652.html
Sent from the wix-devs mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse Turn 
processes into business applications with Bonita BPM Community Edition Quickly 
connect people, data, and systems into organized workflows Winner of BOSSIE, 
CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft 
_______________________________________________
WiX-devs mailing list
WiX-devs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-devs


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
WiX-devs mailing list
WiX-devs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-devs

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
WiX-devs mailing list
WiX-devs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-devs

Reply via email to