[wix-users] DetectCondition for MsuPackage for KB3033929

Mridul Pentapalli mridulp at mediafour.com
Thu Sep 15 13:56:29 PDT 2016

Thank Phill Hogland for the comments. Since we provide software for the
general public, I want to force them to install the .msu. There are a
significant number of current users who are on Win 7 and our customers are
not generally very tech savvy. It would be terrible since we have already
taken their money and they will no longer be able to use the software they
paid for. We also require NetFx45 as a prerequisite anyway. We can always
bump it up to 461 if we see problems. I have fixed issues with customers
not having the correct root certificates in the past with our current
drivers, so I don't see that as a stumbling block.

Thanks Rob Mensching for your comments too. We have been using globalsign
for the past few years and we updated it recently. I doubt my boss is
interested in switching over just to get a SHA1 certificate for what is
going to be a diminishing problem.

So is there any way to put a DetectCondition? Alternately is there any
other way that I can incorporate installing this particular MSU file and
then chain my current .MSI?


On Thu, Sep 15, 2016 at 3:23 PM, Rob Mensching <rob at firegiant.com> wrote:

> I highly recommend DigiCert (https://www.digicert.com/). They support
> SHA1 for this very reason and reissues are free.
> In fact, I just had to go through the process to reissue for a SHA1 to
> dual-sign FireGiant's newly launched WiX Expansion Pack (
> https://www.firegiant.com/products/wix-expansion-pack/).
> If you want 25% off your order, send me a direct email and I'll send you a
> referral (I don't care about the Amazon gift card they send, if 25% off is
> what it takes to get you to a better certificate provider <smile/>).
> _____________________________________________________________
>  Short replies here. Complete answers over there:
> http://www.firegiant.com/
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf
> Of Phill Hogland
> Sent: Thursday, September 15, 2016 1:10 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
> We ship SHA2 signed packages, as we no longer have a SHA1 and the vendor
> would not renew it prior to it expiring.  I believe that there may be
> issues with using the SHA1 after 1/2017.
> We have many Win7 "isolated" network users, and we often have users who
> report installing KB3033929 but still cannot run a setup that is SHA2
> signed.  Sometimes they can resolve it by also updating their root
> certificates.  Other times they cannot find any solution.  Recently users
> have reported resolving this problem by installing either NetFx452 or
> NetFx461 (even if they already have NetFx45 which is the minimum we
> require).   I have not tried to integrate the msu into my bundles because
> of the inconsistency in resolving the issue.  We referrer users to
> Microsoft Support, but it has been a real pain because of the prior
> releases related to KB3033929 which broke certain systems.
> ________________________________
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of
> Tyler Gustafson <tgustafson at solacom.com>
> Sent: Thursday, September 15, 2016 12:40:19 PM
> To: WiX Toolset Users Mailing List
> Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
> Ouch, sorry to hear that.
> Personally I would document the problem away at this point or possibly
> look for another way to get the SHA-1 certificate back instead of having my
> installer tell the customer they need Windows Updates.
> If you really want to go that route I'm not any more helpful than Google
> on this topic but maybe someone else on here has more experience with WiX
> and .msu
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf
> Of Mridul Pentapalli
> Sent: September-15-16 11:42 AM
> To: WiX Toolset Users Mailing List
> Subject: Re: [wix-users] DetectCondition for MsuPackage for KB3033929
> That is true, until you find that your SHA-1 certificate expired last week
> and that your certificate provider no longer provides SHA-1 certificates
> any more. We were dual signing our drivers until last week.
> Mridul.
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant
> http://www.firegiant.com/

More information about the wix-users mailing list