[wix-devs] Authenticode signature verification issue

Heath Stewart Heath.Stewart at microsoft.com
Thu Sep 24 15:53:52 PDT 2015


For security, yes, but also integrity. I remember well the conversation we had about this when we still met Thursday nights on campus. When builds were restarted, some packages got rebuilt but not all bundles, and caused burn to fail during install or, worse, succeed but with the wrong payload. So while hashes do cover security (like Authenticode, sans it's apparent problems), they also cover integrity (unlike Authenticode).

The behavior is actually opposite of what is desired. They have an Authenticode-signable file that may not be signed initially, but once it is signed (specifically, if they decide to release that build) they want it Authenticode checked and NOT hash-checked, which right now it always is. To be more concise, they want ONLY Authenticode verification.

Heath Stewart
Visual Studio, Microsoft
http://blogs.msdn.com/heaths

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Rob Mensching
Sent: Thursday, September 24, 2015 12:16 AM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

First of all the hash absolutely is for security. 

Second, we switched the default to always use hashes in WiX v3.9 because Authenticode failed incorrectly too often (usually because WU hadn't been run to update the machine's certificate store). It's called out in the SuppressSignatureValidation documentation: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwixtoolset.org%2fdocumentation%2fmanual%2fv3%2fxsd%2fwix%2fmsipackage.html&data=01%7c01%7cHeath.Stewart%40microsoft.com%7cb87fe21a6f0b43f3318408d2c4affdd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2bjM%2b8QZmtEVbfBN7aXfn75U%2ftfJsF7BemOUdD4Nc%2fw0%3d

In the end, I think the code already behaves the way you are suggesting below.

_______________________________________________________________
 FireGiant  |  Dedicated support for the WiX toolset  |  https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7cb87fe21a6f0b43f3318408d2c4affdd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Y%2f5H7KKHUkwmpj7yN5zEm2tDKbfQoIl8r9f3VNA%2fagI%3d

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Heath Stewart
Sent: Wednesday, September 23, 2015 1:43 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: [wix-devs] Authenticode signature verification issue

Years back we made a change to always check the hash of payloads because verifying only the Authenticode signature just proves the payload is valid - not that it's the right payload. This would often lead to broken installs or eventual install failures that were more difficult to diagnose because people would directly or indirectly swap out some payloads without rebuilding the bundle. This change has worked well.

However, an internal team ran into a problem with how they deploy. They would benefit from SuppressSignatureValidation="no" for a single payload that would not, during development, be signed (due to signing hassles with this particular file) until they were ready to shipped a tested build.

I told them that the hash check was done for integrity - not security - and that Rob was even considering getting rid of the Authenticode check since it's now redundant. But I got to wondering, what about keeping it in but do the Authenticode signature check if some other attribute was specified? I don't think Burn authoring should open up the possibility of not verifying either, but perhaps if a file is Authenticode signable (which there is an API for, which I can some sample code) and is signed, a SuppressHashVerification="yes" could be added to only do an Authenticode signature check.

Thoughts?

Heath Stewart
Visual Studio, Microsoft
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fblogs.msdn.com%2fheaths&data=01%7c01%7cHeath.Stewart%40microsoft.com%7cb87fe21a6f0b43f3318408d2c4affdd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=vHg9oEoCxJVY0Nzkuva30%2b6bcRkZKmGT13hpAE67wms%3d

____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7cb87fe21a6f0b43f3318408d2c4affdd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Y%2f5H7KKHUkwmpj7yN5zEm2tDKbfQoIl8r9f3VNA%2fagI%3d
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7cb87fe21a6f0b43f3318408d2c4affdd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Y%2f5H7KKHUkwmpj7yN5zEm2tDKbfQoIl8r9f3VNA%2fagI%3d


More information about the wix-devs mailing list