[wix-devs] Authenticode signature verification issue

Rob Mensching rob at firegiant.com
Thu Sep 24 00:15:51 PDT 2015

First of all the hash absolutely is for security. 

Second, we switched the default to always use hashes in WiX v3.9 because Authenticode failed incorrectly too often (usually because WU hadn't been run to update the machine's certificate store). It's called out in the SuppressSignatureValidation documentation: http://wixtoolset.org/documentation/manual/v3/xsd/wix/msipackage.html

In the end, I think the code already behaves the way you are suggesting below.

 FireGiant  |  Dedicated support for the WiX toolset  |  http://www.firegiant.com/

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Heath Stewart
Sent: Wednesday, September 23, 2015 1:43 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: [wix-devs] Authenticode signature verification issue

Years back we made a change to always check the hash of payloads because verifying only the Authenticode signature just proves the payload is valid - not that it's the right payload. This would often lead to broken installs or eventual install failures that were more difficult to diagnose because people would directly or indirectly swap out some payloads without rebuilding the bundle. This change has worked well.

However, an internal team ran into a problem with how they deploy. They would benefit from SuppressSignatureValidation="no" for a single payload that would not, during development, be signed (due to signing hassles with this particular file) until they were ready to shipped a tested build.

I told them that the hash check was done for integrity - not security - and that Rob was even considering getting rid of the Authenticode check since it's now redundant. But I got to wondering, what about keeping it in but do the Authenticode signature check if some other attribute was specified? I don't think Burn authoring should open up the possibility of not verifying either, but perhaps if a file is Authenticode signable (which there is an API for, which I can some sample code) and is signed, a SuppressHashVerification="yes" could be added to only do an Authenticode signature check.


Heath Stewart
Visual Studio, Microsoft

WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-devs mailing list