[wix-users] question about suppresssignatureverification and verifyhash

Phill Hogland phill.hogland at rimage.com
Tue Sep 22 05:56:18 PDT 2015

IIRC there were problems with the behavior in 3.7 or 3.8 and in 3.9 there was a change to make SuppressSignatureVerification default to 'Yes'.  So the current (3.10) chm says:
By default, a Bundle will use the hash of a package to verify its contents. If this attribute is explicitly set to "no" and the package is signed with an Authenticode signature the Bundle will verify the contents of the package using the signature instead. Therefore, the default for this attribute could be considered to be "yes". It is unusual for "yes" to be the default of an attribute. In this case, the default was changed in WiX v3.9 after experiencing real world issues with Windows verifying Authenticode signatures. Since the Authenticode signatures are no more secure than hashing the packages directly, the default was changed.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of MinJie Tong
Sent: Monday, September 21, 2015 7:11 PM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] question about suppresssignatureverification and verifyhash


I have this complicated issue.  We are shipping a couple of files in a wix bundle that is modified after the bundle is built.  I can't change this order as the modification sometimes take days.   In the early days of wix 3.7,  we've been getting around this issue by building a custom MSI and set the suppresssignatureverification = no for that payload in the bundle.  This allows bundle to only check the signature for verification and ignore wrong hashes. So we copy the custom MSI back into the bundle.   This worked great.

We are now wix3.7 RTM, and it seems like this behavior was changed to that hash verification must happen regardless.  This makes our scenario impossible.   It seems like after this change, any sort of postbuild modification is impossible now.  Even if I wanted to build a black box EXE with the modified files, still hashes will be checked.   Do you have any suggestions on what we can do?


WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list