[wix-devs] Authenticode signature verification issue

[Heath Stewart]

Years back we made a change to always check the hash of payloads because verifying only the Authenticode signature just proves the payload is valid - not that it's the right payload. This would often lead to broken installs or eventual install failures that were more difficult to diagnose because people would directly or indirectly swap out some payloads without rebuilding the bundle. This change has worked well.

However, an internal team ran into a problem with how they deploy. They would benefit from SuppressSignatureValidation="no" for a single payload that would not, during development, be signed (due to signing hassles with this particular file) until they were ready to shipped a tested build.

I told them that the hash check was done for integrity - not security - and that Rob was even considering getting rid of the Authenticode check since it's now redundant. But I got to wondering, what about keeping it in but do the Authenticode signature check if some other attribute was specified? I don't think Burn authoring should open up the possibility of not verifying either, but perhaps if a file is Authenticode signable (which there is an API for, which I can some sample code) and is signed, a SuppressHashVerification="yes" could be added to only do an Authenticode signature check.

Thoughts?

Heath Stewart
Visual Studio, Microsoft
http://blogs.msdn.com/heaths