[wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Sean Hall r.sean.hall at gmail.com
Fri Mar 4 11:34:37 PST 2016


Like Rob said in his reply to your original email "No need to send payloads
over HTTPS (although you can if you wish)".  The Standard Bootstrapper does
not check Certificate Validation of the MSI/CABs, that's the engine's job.
See cache.cpp for implementation details (VerifyPayloadAgainstChain in
https://github.com/wixtoolset/wix3/blob/a6867f77af96dce26df68d7dbbb6f3aaab13e9e0/src/burn/engine/cache.cpp
).

The internal hashes for all payloads are SHA-1, and that's not configurable
today.  It's an open feature request -
https://github.com/wixtoolset/issues/issues/3992.

On Fri, Mar 4, 2016 at 12:09 PM, Raze, Leigh <razel at amazon.com> wrote:

> Our security team is requiring us to use HTTPS to download our MSIs and
> cabs. They brought up the question of Certificate Verification after we
> noticed that the embedded hashes are SHA-1, and not SHA-256 (which our
> security team was hoping for). Is there any way for us to have the Standard
> Bootstrapper use SHA-256 or perform Certificate Verification without
> modifying the source or build a custom bootstrapper.
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf
> Of Raze, Leigh
> Sent: Friday, February 26, 2016 9:54 AM
> To: wix-users at lists.wixtoolset.org
> Subject: [wix-users] Streaming Bootstrapper - HTTPS Certificate
> Verification?
>
> Hello!
>
> I am using the Standard Bootstrapper application to pull down, via HTTPS,
> a number of MSIs that we have built to install our product. This is working
> fine, but I have a security question related to the Standard Bootstrapper
> and giving DownloadUrl an HTTPS link:
>
> Does anyone know if and how the Standard Bootstrapper does certificate
> validation on anything downloaded through HTTPS? I have looked through the
> source code for WiX and the Standard Bootstrapper and have not been able to
> find any leads. The only mention of certificates I have found is in the IIS
> Extension, which is not applicable to our product.
>
> Thanks!
>
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>



More information about the wix-users mailing list