[wix-users] WiX MSP patching

Hoover, Jacob Jacob.Hoover at greenheck.com
Thu Nov 2 07:17:57 PDT 2017 

Yes at embedding the public cer.

The MSP is based off of a second MSI.  This MSI should be like the first and have the PatchCertificates authored, as well as being signed (thought I don't think signing the MSI is needed if you don't plan on deploying it).  The MSP itself must be signed after being generated.  It is the signing of the MSP with the same cert as what was originally authored into the MSI which allows LUA patching to function.
 
I would also suggest you utilize timestamping when signing.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of ????????? ???????? via wix-users
Sent: Thursday, November 2, 2017 9:01 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Александр Соловьев <deffill at mail.ru>
Subject: Re: [wix-users] WiX MSP patching

Thank you for your reply.
I have the DigitalCertificate tag included. I also have 3 files for my cert: *.cer, *.pfx and *.pvk. Do I get you right that I have to embed a *.cer, but to sign with *.pfx? Do I need to sign the msp or embed anything into it?


>Четверг,  2 ноября 2017, 20:55 +07:00 от "Hoover, Jacob via wix-users" <wix-users at lists.wixtoolset.org>:
>
>In the original MSI one needs to include the public cert via:
>        <PatchCertificates>
>            <DigitalCertificate Id="Foo" SourceFile="..\..\Certs\Foo.cer"/>
>        </PatchCertificates>
>
>Sign the MSI with the matching private key.
>
>When you build your patch, the second MSI it was based off of should also have the above authoring and should also be signed with the same key.
>
>
>With those bits in place LUAPatching should work without admin rights being required, assuming the administrator of the target PC hasn't disabled LUA.
>
>
>https://msdn.microsoft.com/en-us/library/windows/desktop/aa372388%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
>
>-----Original Message-----
>From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of John via wix-users
>Sent: Thursday, November 2, 2017 8:25 AM
>To: WiX Toolset Users Mailing List < wix-users at lists.wixtoolset.org >
>Cc: John < jzajac2 at gmail.com >
>Subject: Re: [wix-users] WiX MSP patching
>
>“the certificate has to be embedded into the package”? I don’t understand what that means. I’ve always used the cert and signtool to sign the files within the package and the MSI or MSP 
>
>The way I understand windows security here is that the administrator token is required to write to program files folders. You can bypass that by having it trusted ? 
>
>Sent from my iPhone
>
>> On Nov 2, 2017, at 2:23 AM, Александр Соловьев via wix-users < wix-users at lists.wixtoolset.org > wrote:
>> 
>> Greetings.
>> I am trying to create an msp for my msi distribution and seem to get stuck at this point. The goal is to create a patch that can be applied by a non-administrator to an application installed in program files folder. However, I keep getting UAC promt window with credentials input.
>> So far I have got 2 msi packages with different set of features (some removed, some added) and an msp patch built based upon the tutorial at  http://wixtoolset.org/ . The msi are installed properly and the msp applies as expected but only under admin priveleges. As I understand from reading the internet, the msi and msp have to be signed with a certificate. For this purpose I have generated a code-signing sertificate (self-signed for testing purposes) and have signed all the packages with signtool.exe. I've also found that the certificate has to be embedded into the package and still no luck. I even added my root certificate as a known root and the only result I got was UAC widnow color change from yellow to blue. 
>> Having said that I am asking for any help. Could you point out what I am missing and where to go next? 
>> If this is not the place to post this question please take my apologies and point me to the right one.
>> 
>> 
>> 
>> ____________________________________________________________________
>> WiX Toolset Users Mailing List provided by FireGiant  http://www.firegiant.com/
>
>____________________________________________________________________
>WiX Toolset Users Mailing List provided by FireGiant  http://www.firegiant.com/
>
>____________________________________________________________________
>WiX Toolset Users Mailing List provided by FireGiant  http://www.firegiant.com/




____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list