[wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Raze, Leigh razel at amazon.com
Fri Mar 4 10:09:02 PST 2016

Our security team is requiring us to use HTTPS to download our MSIs and cabs. They brought up the question of Certificate Verification after we noticed that the embedded hashes are SHA-1, and not SHA-256 (which our security team was hoping for). Is there any way for us to have the Standard Bootstrapper use SHA-256 or perform Certificate Verification without modifying the source or build a custom bootstrapper.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, February 26, 2016 9:54 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?


I am using the Standard Bootstrapper application to pull down, via HTTPS, a number of MSIs that we have built to install our product. This is working fine, but I have a security question related to the Standard Bootstrapper and giving DownloadUrl an HTTPS link:

Does anyone know if and how the Standard Bootstrapper does certificate validation on anything downloaded through HTTPS? I have looked through the source code for WiX and the Standard Bootstrapper and have not been able to find any leads. The only mention of certificates I have found is in the IIS Extension, which is not applicable to our product.


WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list