[wix-users] Least privileged user account patching without UAC elevation

Neil Hayes Neil.Hayes at syspro.com
Tue Sep 20 04:15:57 PDT 2016


I haven't found any documentation that says the element does not accept a pfx.

This is a VeriSign certificate used to digitally sign all our exe's dll's and installs  and not one I've created. No changes are done regarding keys, passwords etc....the pfx file is just referenced by the SourceFile attribute.

The patch is generated as per the "sample" demo http://wixtoolset.org/documentation/manual/v3/patching/wix_patching.html

candle.exe patch.wxs
light.exe patch.wixobj -out patch\patch.wixmsp
pyro.exe patch\patch.wixmsp -out patch\patch.msp -t RTM patch\diff.wixmst 
 
"Then when you generate the patch, it also needs the same" ? What name are you referring too?

"The original MSI is also signed with the same certificate?"  - Yes

Signing is performed using a timestamp.

Neil

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of David Watson
Sent: Friday, September 16, 2016 10:23 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Least privileged user account patching without UAC elevation

Does the digital certificate element accept a pfx, I've always just used a public key only  .cer?

Are you embedding your public and private keys in the pfx?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob
Sent: 16 September 2016 16:57
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Least privileged user account patching without UAC elevation

The original MSI is also signed with the same certificate?

You need to have the public cert in the PatchCertificates table, as well as signing the MSI with that same certificate.  Then when you generate the patch, it also needs the same.  The certificate can't change from initial MSI to the patched MSI (without generating a patch to patch in a new certificate).  I'd also ensure when signing that you'd use the timestamp option to ensure your cert still remains valid on older MSI's after the expiration date.

Also, how are you generating your patch?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Neil Hayes
Sent: Friday, September 16, 2016 2:08 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [wix-users] Least privileged user account patching without UAC elevation

I just can't get this to work....totally frustrating.

Our dummy project has this :

<PatchCertificates>
               <DigitalCertificate Id="Cert" SourceFile="mycertificate.pfx" /> </PatchCertificates>


The pfx certificate is valid (sha256) and doesn't expire for another year.
On building the MSI the following 2 tables are created and populated.

MsiDigitalCertificate
               MsiPatchCertificate

ALLUSERS property is set to 1

The MSI does not have external CAB files The MSI is signed with the same certificate

When you install it asks for elevation and deployed - as expected.

Patch created, signed with the same certificate. - Asks for elevation (now frustrated) -Patch works if I elevate and install.

MSI (c) (E0:6C) [07:39:10:239]: SOFTWARE RESTRICTION POLICY: Verifying patch --> 'C:\Dummy\Digital\patch\HF001.msp' against software restriction policy MSI (c) (E0:6C) [07:39:10:240]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp has a digital signature MSI (c) (E0:6C) [07:39:10:275]: SOFTWARE RESTRICTION POLICY: C:\Dummy\Digital\patch\HF001.msp is permitted to run at the 'unrestricted' authorization level.

MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisablePatch' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AllowLockdownPatch' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableMsi' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (c) (E0:6C) [07:39:10:378]: User policy value 'AlwaysInstallElevated' is 0 MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is admin assigned: LocalSystem owns the publish key.
MSI (c) (E0:6C) [07:39:10:378]: Product {8985D4B0-D759-4E34-AB18-1C494780FF7A} is managed.
MSI (c) (E0:6C) [07:39:10:378]: Running product '{8985D4B0-D759-4E34-AB18-1C494780FF7A}' with elevated privileges: Product is assigned.
MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableLUAPatching' is 0 MSI (c) (E0:6C) [07:39:10:378]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (c) (E0:6C) [07:39:10:378]: Validating digital signature of file 'C:\Dummy\Digital\patch\HF001.msp'
MSI (c) (E0:6C) [07:39:10:384]: Certificate of signed file 'C:\Dummy\Digital\patch\HF001.msp' differs in size with the certificate authored in the package

ACTION part of the log

MSI (s) (B8:98) [07:39:12:926]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (B8:98) [07:39:12:927]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (B8:98) [07:39:12:927]: Validating digital signature of file 'C:\WINDOWS\Installer\48349a30.msp'
MSI (s) (B8:98) [07:39:12:931]: Certificate of signed file 'C:\WINDOWS\Installer\48349a30.msp' differs in size with the certificate authored in the package


I've looked at lots of posts where people have the same issue but I haven't found one that comes to a working conclusion.

Do I need something like the property "MSIDEPLOYMENTCOMPLIANT"
The primary install writes to HKLM\Software\Company -  but not deployed to Program Files or install a service.
Testing is on a simple windows 10 VM (Standalone) No group policies applied or local software settings I'm using a pfx file, should it work with a pfx file.
I see the MEDIA node also makes provision for Digital Signature (But for external CAB files) mine is embedded.

Why am I doing this?

In the environment where this is deployed, for a large amount of companies getting an 'Admin' requires booking time, sometimes a month in advance regardless if the company comes to a grinding halt in a faction of its business.

Please - What am I missing?

Neil

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


This message has been scanned for malware by Websense. www.websense.com

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/




More information about the wix-users mailing list