[wix-users] Code Signing SHA-1/2
Phill Hogland
phill.hogland at rimage.com
Mon Feb 15 09:55:09 PST 2016
We have been using SHA2 for about a year, and target Win7 or later. We do not dual sign. We recently came across problems with Win7 on isolated networks (so far generally in Europe). Some customers are confused over which MS patch to apply ( KB2949927, KB3004394, KB3024777 , KB3123479) and there have been situations where the user claims that the above patches have been applied but a Burn driven MSI reports the cab signing error (the same error which we observe on a Win 7 system without SHA2 support). In some of these scenarios it seems that the isolated system has not had the root certificates updated. If one can convince the customer to connect the system to the Internet then the problem gets resolved by Windows Update.
As a solution to this last issue, a customer wants us to redistribute the file that he found at the following link:
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
I did not find information on that file to imply that there is a license for redistribution, and I am not inclined to take that approach when the customer could configure their network to get root certificate updates, per this Microsoft documentation.
https://technet.microsoft.com/en-us/library/dn265983.aspx
I don't know if dual-signing would avoid this situation, particularly at this point when the timestamp would be after Jan 1, 2016 (and we would need to get a SHA1 cert as we do not have on anymore).
When these issues are observed the MSI log shows:
MSI (s) (50:B8) [16:39:20:308]: Product: Product Name -- Error 1330. A file that is required cannot be installed because the cabinet file C:\ProgramData\Package Cache\{someGUID61501}v1.0.1.0\packagename\prxx1.cab has an invalid digital signature. This may indicate that the cabinet file is corrupt. Error 24581 was returned by WinVerifyTrust.
Just sharing these general observations with using a SHA2 cert, and appreciate any feedback or suggestions.
Phill
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Christopher Painter
Sent: Monday, February 15, 2016 8:44 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Code Signing SHA-1/2
I recently came across this article and I was wondering if anyone has parsed it for current best practices?
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
I noticed that the latest 3.11 weekly builds are still signed with SHA-1 certs and I'm wondering if that's good or not.
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list