[wix-users] DetectCondition for MsuPackage for KB3033929
Phill Hogland
phill.hogland at rimage.com
Thu Sep 15 13:09:52 PDT 2016
We ship SHA2 signed packages, as we no longer have a SHA1 and the vendor would not renew it prior to it expiring. I believe that there may be issues with using the SHA1 after 1/2017.
We have many Win7 "isolated" network users, and we often have users who report installing KB3033929 but still cannot run a setup that is SHA2 signed. Sometimes they can resolve it by also updating their root certificates. Other times they cannot find any solution. Recently users have reported resolving this problem by installing either NetFx452 or NetFx461 (even if they already have NetFx45 which is the minimum we require). I have not tried to integrate the msu into my bundles because of the inconsistency in resolving the issue. We referrer users to Microsoft Support, but it has been a real pain because of the prior releases related to KB3033929 which broke certain systems.
________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Tyler Gustafson <tgustafson at solacom.com>
Sent: Thursday, September 15, 2016 12:40:19 PM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
Ouch, sorry to hear that.
Personally I would document the problem away at this point or possibly look for another way to get the SHA-1 certificate back instead of having my installer tell the customer they need Windows Updates.
If you really want to go that route I'm not any more helpful than Google on this topic but maybe someone else on here has more experience with WiX and .msu
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Mridul Pentapalli
Sent: September-15-16 11:42 AM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
That is true, until you find that your SHA-1 certificate expired last week and that your certificate provider no longer provides SHA-1 certificates any more. We were dual signing our drivers until last week.
Mridul.
On Thu, Sep 15, 2016 at 10:27 AM, John Cooper <JoCooper at jackhenry.com>
wrote:
> Dual sign is the way to go. This is an OS and not WiX issue.
>
> --
> John Merryweather Cooper
> Senior Software Engineer -- Integration Development Group --
> Enterprise Notification Service Jack Henry & Associates, Inc.® |
> Lenexa, KS 66214 | Office:
> 913-341-3434x431050
> JoCooper at jackhenry.com
>
>
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On
> Behalf Of Tyler Gustafson
> Sent: Thursday, September 15, 2016 10:14 AM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
>
> The e-mail below is from an external source. Please do not open
> attachments or click links from an unknown or suspicious origin.
>
> The documentation I've read suggests you sign your drivers with both
> the old SHA-1 and the new SHA-2 certificates so that older systems
> which don't recognise SHA-2 will still work. You might not have to
> solve this problem with WiX.
>
> https://www.digicert.com/code-signing/code-signing-dual-
> signing-sha256-sha1.htm
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On
> Behalf Of Mridul Pentapalli
> Sent: September-15-16 10:49 AM
> To: wix-users at lists.wixtoolset.org
> Subject: [wix-users] DetectCondition for MsuPackage for KB3033929
>
> Hi,
>
> Due to changes for digital signature enforcement of drivers, we are
> signing our drivers with SHA-2 certificates but these are not
> recognized by Windows
> 7 SP1 unless they are patched with KB3033929.
>
> I added this entry to my bootstrapper, but I have no idea how to
> populate the DetectCondition entry. Can someone please suggest a way
> to get this to work?
>
> <MsuPackage DisplayName="Security Update for Windows 7 for x64-based
> Systems (KB3033929)"
> Compressed="yes"
> Description="Security Update for Windows 7 for
> x64-based Systems (KB3033929)"
> DetectCondition=""
> InstallCondition="" <!--- This will be Windows 7 SP1
> x64 bit only -->
> DownloadUrl="
> https://www.microsoft.com/en-us/download/confirmation.aspx?id=46148"
> KB="KB3033929"
> Permanent="yes"
> SourceFile="Windows6.1-KB3033929-x64.msu" />
>
> Regards,
> Mridul.
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
> --
> Scanned by Total Defense Email Cloud Security
> http://cloud.totaldefense.com
>
>
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
> NOTICE: This electronic mail message and any files transmitted with it
> are intended exclusively for the individual or entity to which it is
> addressed. The message, together with any attachment, may contain
> confidential and/or privileged information.
> Any unauthorized review, use, printing, saving, copying, disclosure or
> distribution is strictly prohibited. If you have received this message
> in error, please immediately advise the sender by reply email and
> delete all copies.
>
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/
>
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
--
Scanned by Total Defense Email Cloud Security http://cloud.totaldefense.com
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list