[wix-devs] Signing build output

Heath Stewart heaths at outlook.com
Thu Dec 13 14:01:48 PST 2018

I’d prefer that WiX sign the DLLs it builds. Note that Device Guard typically only requires that a chain terminate in a trusted root (and nothing revoked, etc.). If you sign them during build for official releases, no one else needs to sign them.

From: Sean Hall <r.sean.hall at gmail.com>
Sent: Thursday, December 13, 2018 11:52:30 AM
To: WiX Toolset Developer Mailing List
Cc: Heath Stewart
Subject: Re: [wix-devs] Signing build output

It sounds like there are two separate solutions to this issue. One is get WiX to sign all of its DLLs with its certificate. The other is to add the ability for WiX users to sign all of the WiX DLLs that get injected with their own certificate. Which one are you implementing?

On Thu, Dec 13, 2018 at 1:45 PM Heath Stewart via wix-devs <wix-devs at lists.wixtoolset.org<mailto:wix-devs at lists.wixtoolset.org>> wrote:
Re: https://github.com/wixtoolset/issues/issues/5329<https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fissues%2Fissues%2F5329&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=vX1Lpi1BbkEzoQdy8sLB2F4P8R3tZbSzGT1NnvIIeAY%3D&reserved=0>

Enterprise environments using Windows Device Guard now require that even x86 and x64 binaries are signed. IF no one has already started working on the aforementioned issue, I will start but:

  1.  We’ll need this for 3.14, since moving to WiX 4 for legacy authoring would be a huge undertaking. Is that possible?
  2.  How, if at all, is signing handled now during build? Looks like everything is in https://github.com/wixtoolset/wix3/blob/bda1c281cb0349007d767d5404d6da87076d7d94/tools/WixBuild.wixproj.targets<https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fwix3%2Fblob%2Fbda1c281cb0349007d767d5404d6da87076d7d94%2Ftools%2FWixBuild.wixproj.targets&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=6ga2duQSgx62jr%2F3MIIhpkXcbhAZeIlcbLccD1KU0q0%3D&reserved=0>, but any particular reason some targets are commented out? Foresee any problems with adding similar support for signing at least native DLLs (or really any DLLs that would ship to end users)?
  3.  To test this, see any problems with adding test-signing capabilities to this (and related) files?

Any other thoughts or considerations regarding this matter?

WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/<https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=ptDvARNbyA9ME4rnlSj7ATS1SzTCnKKFPuIi9M2MKM4%3D&reserved=0>

More information about the wix-devs mailing list