[wix-devs] Signing build output

Heath Stewart heaths at outlook.com
Thu Dec 13 18:41:41 PST 2018 

I had read that previously, but it really depends on how many other breaking changes there are / will be. The main thing holding us back from switching to WiX 4 has mainly been namespace changes (both XML and managed assemblies). Some packages outside the main repo have upgrade with little to no problem, and lack of need right now for traditional WiX to be upgraded.



So you’d also be fine with adding support for test-signing, perhaps as a default for devs (i.e. make sure everything works as expected even during a normal build)? If so, do you already have a self-signed cert (I can create one otherwise) and is LFS enabled for your repo?





________________________________
From: wix-devs <wix-devs-bounces at lists.wixtoolset.org> on behalf of Sean Hall via wix-devs <wix-devs at lists.wixtoolset.org>
Sent: Thursday, December 13, 2018 5:37:48 PM
To: WiX Toolset Developer Mailing List
Cc: Sean Hall
Subject: Re: [wix-devs] Signing build output

Since that's all on the build side of WiX itself, I'd be fine with that in
v3.14. However, v3.14 is not your typical backwards compatible v3.x release
- see Bob's recent blog post at
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.joyofsetup.com%2F2018%2F05%2F19%2Fwix-v314-details-about-wix-pi%2F&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=SO3NA1USLKaW2tUAXP5xqEe90j7ZiViMAZq%2B8ha3egw%3D&reserved=0. I'm
pretty sure the only reason we would do another backwards compatible v3.x
release would be for fixing a critical security vulnerability.

On Thu, Dec 13, 2018 at 4:01 PM Heath Stewart <heaths at outlook.com> wrote:

> I’d prefer that WiX sign the DLLs it builds. Note that Device Guard
> typically only requires that a chain terminate in a trusted root (and
> nothing revoked, etc.). If you sign them during build for official
> releases, no one else needs to sign them.
>
>
>
>
>
>
> ------------------------------
> *From:* Sean Hall <r.sean.hall at gmail.com>
> *Sent:* Thursday, December 13, 2018 11:52:30 AM
> *To:* WiX Toolset Developer Mailing List
> *Cc:* Heath Stewart
> *Subject:* Re: [wix-devs] Signing build output
>
> It sounds like there are two separate solutions to this issue. One is get
> WiX to sign all of its DLLs with its certificate. The other is to add the
> ability for WiX users to sign all of the WiX DLLs that get injected with
> their own certificate. Which one are you implementing?
>
> On Thu, Dec 13, 2018 at 1:45 PM Heath Stewart via wix-devs <
> wix-devs at lists.wixtoolset.org> wrote:
>
>> Re: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fissues%2Fissues%2F5329&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=YfHzm9lfjV68ADeJN6Pdh7p43vCSI2iNasyy2XHwQ5A%3D&reserved=0
>> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Feur04.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fwixtoolset%252Fissues%252Fissues%252F5329%26data%3D02%257C01%257C%257C69e30db743864c2af5bd08d661348b4d%257C84df9e7fe9f640afb435aaaaaaaaaaaa%257C1%257C0%257C636803275629233782%26sdata%3DvX1Lpi1BbkEzoQdy8sLB2F4P8R3tZbSzGT1NnvIIeAY%253D%26reserved%3D0&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=fg%2Fpdf2SPN6hpppmAHAKbf5Q7j5z4hksdijJ5YgEU8Y%3D&reserved=0>
>>
>> Enterprise environments using Windows Device Guard now require that even
>> x86 and x64 binaries are signed. IF no one has already started working on
>> the aforementioned issue, I will start but:
>>
>>
>>   1.  We’ll need this for 3.14, since moving to WiX 4 for legacy
>> authoring would be a huge undertaking. Is that possible?
>>   2.  How, if at all, is signing handled now during build? Looks like
>> everything is in
>> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fwix3%2Fblob%2Fbda1c281cb0349007d767d5404d6da87076d7d94%2Ftools%2FWixBuild.wixproj.targets&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=M3tP7G6ur0NTR8ljuQVT%2FMETIP%2Btfxdk1kHlHg6pVic%3D&reserved=0
>> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Feur04.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fwixtoolset%252Fwix3%252Fblob%252Fbda1c281cb0349007d767d5404d6da87076d7d94%252Ftools%252FWixBuild.wixproj.targets%26data%3D02%257C01%257C%257C69e30db743864c2af5bd08d661348b4d%257C84df9e7fe9f640afb435aaaaaaaaaaaa%257C1%257C0%257C636803275629233782%26sdata%3D6ga2duQSgx62jr%252F3MIIhpkXcbhAZeIlcbLccD1KU0q0%253D%26reserved%3D0&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=dJSIrBX41sxIDjjjU2W5MvRhuBPbHY3mSLNbw%2B%2Bwaqw%3D&reserved=0>,
>> but any particular reason some targets are commented out? Foresee any
>> problems with adding similar support for signing at least native DLLs (or
>> really any DLLs that would ship to end users)?
>>   3.  To test this, see any problems with adding test-signing
>> capabilities to this (and related) files?
>>
>> Any other thoughts or considerations regarding this matter?
>>
>> ____________________________________________________________________
>> WiX Toolset Developer Mailing List provided by FireGiant
>> https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=AedJ%2B5Lr8%2B2%2FByqygamV9AJGsjIJNIC2qlEVSCNoDvc%3D&reserved=0
>> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Feur04.safelinks.protection.outlook.com%2F%3Furl%3Dhttp%253A%252F%252Fwww.firegiant.com%252F%26data%3D02%257C01%257C%257C69e30db743864c2af5bd08d661348b4d%257C84df9e7fe9f640afb435aaaaaaaaaaaa%257C1%257C0%257C636803275629233782%26sdata%3DptDvARNbyA9ME4rnlSj7ATS1SzTCnKKFPuIi9M2MKM4%253D%26reserved%3D0&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=7MkWGeXSqNxBRyf7LC4N7qyXuqg3mK%2BerTMY6aOeAfA%3D&reserved=0>
>>
>
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7C%7Cacabf2e85bb442bc334208d66164cb01%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636803482856292510&sdata=AedJ%2B5Lr8%2B2%2FByqygamV9AJGsjIJNIC2qlEVSCNoDvc%3D&reserved=0

More information about the wix-devs mailing list