[wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Rob Mensching rob at firegiant.com
Fri Feb 26 10:18:51 PST 2016


No need to send payloads over HTTPS (although you can if you wish). All the payloads (MSIs, cabs, etc) are verified against hashes embedded in bundle. Just make sure you sign your bundle to protect the hashes.

Oh, and use v3.10.2: https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/

_____________________________________________________________
 Short replies here. Complete answers over there: http://www.firegiant.com/



-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, February 26, 2016 9:54 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Hello!

I am using the Standard Bootstrapper application to pull down, via HTTPS, a number of MSIs that we have built to install our product. This is working fine, but I have a security question related to the Standard Bootstrapper and giving DownloadUrl an HTTPS link:

Does anyone know if and how the Standard Bootstrapper does certificate validation on anything downloaded through HTTPS? I have looked through the source code for WiX and the Standard Bootstrapper and have not been able to find any leads. The only mention of certificates I have found is in the IIS Extension, which is not applicable to our product.

Thanks!



More information about the wix-users mailing list