[wix-devs] Authenticode signature verification issue

Rob Mensching rob at firegiant.com
Fri Oct 2 12:27:51 PDT 2015


Phil, 

You are correct a BA can already retry on verify failures. The root issue of WIXBUG:3640 (IIRC) is that if there is a local file, a BA will not be prompted for source. So if the local file is the wrong file, you're stuck with it.

_______________________________________________________________
 FireGiant  |  Dedicated support for the WiX toolset  |  http://www.firegiant.com/

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Phill Hogland
Sent: Friday, October 2, 2015 12:23 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

I have been following this discussion with interest, but as you folks have a lot more experience than I,  I hesitate to add a possible confusing comment.

In my mba (which I originally implemented after studying WixBA) I moved the 'retries' (in ResolveSource) to a InstallationViewModel property, and added the CacheAcquireComplete and CacheVerifyComplete handlers so that when there is a verification failure,  I check or increment the 'reties' and then return Result.Retry in CacheAcquireComplete or Result.TryAgain in CacheVerifyComplete (if I want to return to ResolveSource and retry rather than fail and exit.  In ResolveSource I can call Engine.SetDownloadSource.  (In my case the packages are staged to a web server and I alter the URL, based in internal criteria, to effect a change from internal test servers verses external facing servers for Release Management.)  But regardless of the reason that I am doing this, is this the idea meant by " Give the BA a chance to resolve source after verification failures (i.e. wrong payload), "?

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Rob Mensching
Sent: Friday, October 02, 2015 1:17 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

Yes, WIXBUG:3640 still needs resolution.

1. Definitely. It's very unfortunate that a local file trumps a BA's ability to be prompted for source. Honestly, this is the root of the bug.

2. Again, I think this would invalidate the whole purpose of using Authenticode signatures. Also, I still think it'd be reasonable to remove the support for updating Authenticode payloads (i.e. just use hashes) in WiX v4.0.

_______________________________________________________________
 FireGiant  |  Dedicated support for the WiX toolset  |  http://www.firegiant.com/

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Heath Stewart
Sent: Monday, September 28, 2015 10:11 AM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

Seems the change never made it out then, which for this particular team is probably good. However, this still raises a concern with regard to WIXBUG:3640 (http://wixtoolset.org/issues/3640/). Just because the Authenticode certificate is valid doesn't mean it's the right payload. This caused a lot of problems for us until we started checking the hash always, such as packages being rebuilt with Product/@Id="*" so it was different than what the bundle had, and similar issues. So how can we have integrity as well?

I'll pass on the information to the team, but would like to explore how to fix the original bug. The one referenced above has two separate issues to solve:

1. Give the BA a chance to resolve source after verification failures (i.e. wrong payload), and 2. Verify that the payload is the correct payload and not nearly signed by the same publisher.

Heath Stewart
Visual Studio, Microsoft
http://blogs.msdn.com/heaths



More information about the wix-devs mailing list