[wix-devs] Signing build output

Rob Mensching rob at firegiant.com
Thu Dec 20 09:31:38 PST 2018

1. Note: This will be an ongoing problem. Our focus has moved to WiX v4. We will not be doing ongoing releases of WiX v3 (v3.14 is a special case to aid migration to v4.0).

2. That is the code. We only sign the bundles today, so the MSI/CAB signing targets are commented out. 

3. I do see value in being able test the signing process on a dev machine. I don't think we should do any work to test-sign dev builds.

Other thoughts:

a. Any work done in WiX v3.14 must first be implemented in WiX v4.0.

b. Signing with .NET Foundation is now more complicated than the code in WixBuild.wixproj.targets would suggest. The certificate they provided me to directly sign builds expired this year. Now the .NET Foundation has a signing service where binaries are sent for signing. I have not done any more research into the process yet.

c. I'm torn about taking this change into v3.14 because it does not help migration to v4.0. However, there is (potentially) a good chunk of work needed to integrate with the new .NET Foundation signing service. So, if you're willing to do the work to set up v4.0 with the new signing process I could horse trade that for the signing changes also to v3.14.

-----Original Message-----
From: wix-devs <wix-devs-bounces at lists.wixtoolset.org> On Behalf Of Heath Stewart via wix-devs
Sent: Thursday, December 13, 2018 11:46 AM
To: wix-devs at lists.wixtoolset.org
Cc: Heath Stewart <heaths at outlook.com>
Subject: [wix-devs] Signing build output

Re: https://github.com/wixtoolset/issues/issues/5329

Enterprise environments using Windows Device Guard now require that even x86 and x64 binaries are signed. IF no one has already started working on the aforementioned issue, I will start but:

  1.  We'll need this for 3.14, since moving to WiX 4 for legacy authoring would be a huge undertaking. Is that possible?
  2.  How, if at all, is signing handled now during build? Looks like everything is in https://github.com/wixtoolset/wix3/blob/bda1c281cb0349007d767d5404d6da87076d7d94/tools/WixBuild.wixproj.targets, but any particular reason some targets are commented out? Foresee any problems with adding similar support for signing at least native DLLs (or really any DLLs that would ship to end users)?
  3.  To test this, see any problems with adding test-signing capabilities to this (and related) files?

Any other thoughts or considerations regarding this matter?

WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-devs mailing list