[wix-devs] Signing build output

Thu Dec 13 17:37:48 PST 2018

Since that's all on the build side of WiX itself, I'd be fine with that in
v3.14. However, v3.14 is not your typical backwards compatible v3.x release
- see Bob's recent blog post at
http://www.joyofsetup.com/2018/05/19/wix-v314-details-about-wix-pi/. I'm
pretty sure the only reason we would do another backwards compatible v3.x
release would be for fixing a critical security vulnerability.

On Thu, Dec 13, 2018 at 4:01 PM Heath Stewart <heaths at outlook.com> wrote:

> I’d prefer that WiX sign the DLLs it builds. Note that Device Guard
> typically only requires that a chain terminate in a trusted root (and
> nothing revoked, etc.). If you sign them during build for official
> releases, no one else needs to sign them.
>
>
>
>
>
>
> ------------------------------
> *From:* Sean Hall <r.sean.hall at gmail.com>
> *Sent:* Thursday, December 13, 2018 11:52:30 AM
> *To:* WiX Toolset Developer Mailing List
> *Cc:* Heath Stewart
> *Subject:* Re: [wix-devs] Signing build output
>
> It sounds like there are two separate solutions to this issue. One is get
> WiX to sign all of its DLLs with its certificate. The other is to add the
> ability for WiX users to sign all of the WiX DLLs that get injected with
> their own certificate. Which one are you implementing?
>
> On Thu, Dec 13, 2018 at 1:45 PM Heath Stewart via wix-devs <
> wix-devs at lists.wixtoolset.org> wrote:
>
>> Re: https://github.com/wixtoolset/issues/issues/5329
>> <https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fissues%2Fissues%2F5329&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=vX1Lpi1BbkEzoQdy8sLB2F4P8R3tZbSzGT1NnvIIeAY%3D&reserved=0>
>>
>> Enterprise environments using Windows Device Guard now require that even
>> x86 and x64 binaries are signed. IF no one has already started working on
>> the aforementioned issue, I will start but:
>>
>>
>>   1.  We’ll need this for 3.14, since moving to WiX 4 for legacy
>> authoring would be a huge undertaking. Is that possible?
>>   2.  How, if at all, is signing handled now during build? Looks like
>> everything is in
>> https://github.com/wixtoolset/wix3/blob/bda1c281cb0349007d767d5404d6da87076d7d94/tools/WixBuild.wixproj.targets
>> <https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fwix3%2Fblob%2Fbda1c281cb0349007d767d5404d6da87076d7d94%2Ftools%2FWixBuild.wixproj.targets&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=6ga2duQSgx62jr%2F3MIIhpkXcbhAZeIlcbLccD1KU0q0%3D&reserved=0>,
>> but any particular reason some targets are commented out? Foresee any
>> problems with adding similar support for signing at least native DLLs (or
>> really any DLLs that would ship to end users)?
>>   3.  To test this, see any problems with adding test-signing
>> capabilities to this (and related) files?
>>
>> Any other thoughts or considerations regarding this matter?
>>
>> ____________________________________________________________________
>> WiX Toolset Developer Mailing List provided by FireGiant
>> http://www.firegiant.com/
>> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7C%7C69e30db743864c2af5bd08d661348b4d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803275629233782&sdata=ptDvARNbyA9ME4rnlSj7ATS1SzTCnKKFPuIi9M2MKM4%3D&reserved=0>
>>
>