[wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Raze, Leigh razel at amazon.com
Fri Mar 4 10:51:26 PST 2016 

Is there a way for us to do this without using MSBuild? 

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of John Cooper
Sent: Friday, March 04, 2016 10:15 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

The default for signtool.exe is SHA1 signatures.  I suspect this is also the case for other tools.  It is possible to:  1) double sign with SHA1 and SHA256; or 2) sign with just SHA256 (with the resulting incompatibility for XP, etc.).  The /fd switch on signtool.exe controls the "file digest" used to sign the target.  I am moving to using /fd SHA256 for all my products as we no longer support XP.

--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com




-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, March 4, 2016 12:09 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

Our security team is requiring us to use HTTPS to download our MSIs and cabs. They brought up the question of Certificate Verification after we noticed that the embedded hashes are SHA-1, and not SHA-256 (which our security team was hoping for). Is there any way for us to have the Standard Bootstrapper use SHA-256 or perform Certificate Verification without modifying the source or build a custom bootstrapper.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, February 26, 2016 9:54 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Hello!

I am using the Standard Bootstrapper application to pull down, via HTTPS, a number of MSIs that we have built to install our product. This is working fine, but I have a security question related to the Standard Bootstrapper and giving DownloadUrl an HTTPS link:

Does anyone know if and how the Standard Bootstrapper does certificate validation on anything downloaded through HTTPS? I have looked through the source code for WiX and the Standard Bootstrapper and have not been able to find any leads. The only mention of certificates I have found is in the IIS Extension, which is not applicable to our product.

Thanks!


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list