[wix-devs] Authenticode signature verification issue

Rob Mensching rob at firegiant.com
Fri Oct 2 11:16:47 PDT 2015

Yes, WIXBUG:3640 still needs resolution.

1. Definitely. It's very unfortunate that a local file trumps a BA's ability to be prompted for source. Honestly, this is the root of the bug.

2. Again, I think this would invalidate the whole purpose of using Authenticode signatures. Also, I still think it'd be reasonable to remove the support for updating Authenticode payloads (i.e. just use hashes) in WiX v4.0.

 FireGiant  |  Dedicated support for the WiX toolset  |  http://www.firegiant.com/

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Heath Stewart
Sent: Monday, September 28, 2015 10:11 AM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

Seems the change never made it out then, which for this particular team is probably good. However, this still raises a concern with regard to WIXBUG:3640 (http://wixtoolset.org/issues/3640/). Just because the Authenticode certificate is valid doesn't mean it's the right payload. This caused a lot of problems for us until we started checking the hash always, such as packages being rebuilt with Product/@Id="*" so it was different than what the bundle had, and similar issues. So how can we have integrity as well?

I'll pass on the information to the team, but would like to explore how to fix the original bug. The one referenced above has two separate issues to solve:

1. Give the BA a chance to resolve source after verification failures (i.e. wrong payload), and 2. Verify that the payload is the correct payload and not nearly signed by the same publisher.

Heath Stewart
Visual Studio, Microsoft

More information about the wix-devs mailing list