[wix-users] Unknown publisher UAC in Windows 7 only

Hoover, Jacob Jacob.Hoover at greenheck.com
Wed Sep 6 11:54:11 PDT 2017


I've always used the MSBuild targets:

  <Target Name="UsesFrameworkSdk">
        <!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
                  <!-- Directories from installed software. - Stolen in part from https://github.com/wixtoolset/wix3/blob/develop/tools/WixBuild.props -->
                  <PropertyGroup>
                                <PotentialPlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot10', null, RegistryView.Registry64, RegistryView.Registry32))</PotentialPlatformSdkInstallPath>
                                <PlatformSdkInstallPath Condition=" '$(PotentialPlatformSdkInstallPath)'!='' and Exists('$(PotentialPlatformSdkInstallPath)\include\10.0.14393.0\um') ">$(PotentialPlatformSdkInstallPath)</PlatformSdkInstallPath>
                                <PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v10</PlatformSdkRegistryVersion>
                                <PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' and '$(PlatformSdkInstallPath)'!='' ">$(PlatformSdkInstallPath)\include\10.0.14393.0</PlatformSdkIncludeRoot>
                  </PropertyGroup>

                  <PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
                                <PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot81', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
                                <PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.1</PlatformSdkRegistryVersion>
                  </PropertyGroup>

                  <PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
                                <PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
                                <PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.0</PlatformSdkRegistryVersion>
                  </PropertyGroup>

                  <PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
                                <PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
                                <PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.1A</PlatformSdkRegistryVersion>
                  </PropertyGroup>

                  <PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
                                <PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.0A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
                                <PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.0A</PlatformSdkRegistryVersion>
                  </PropertyGroup>

                  <PropertyGroup>
                                <PlatformSdkInstallPath Condition="!HasTrailingSlash('$(PlatformSdkInstallPath)')">$(PlatformSdkInstallPath)\</PlatformSdkInstallPath>

                                <PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' ">$(PlatformSdkInstallPath)include</PlatformSdkIncludeRoot>
                                <PlatformSdkIncludePath Condition=" '$(PlatformSdkIncludePath)'=='' ">$(PlatformSdkIncludeRoot)</PlatformSdkIncludePath>
                                <PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\shared') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\shared</PlatformSdkIncludePath>
                                <PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\um') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\um</PlatformSdkIncludePath>
                                <PlatformSdkBinPath>$(PlatformSdkInstallPath)bin\</PlatformSdkBinPath>
                                <PlatformSdkBinPath Condition=" Exists('$(PlatformSdkBinPath)x86') ">$(PlatformSdkBinPath)x86\</PlatformSdkBinPath>
                  </PropertyGroup>
  </Target>

  <Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
    <PropertyGroup>
                  <SignToolPath Condition="('$(SignToolPath)'=='') and Exists('$(PlatformSdkBinPath)signtool.exe')">$(PlatformSdkBinPath)signtool.exe</SignToolPath>
    </PropertyGroup>
                <Message Text="PlatformSdkRegistryVersion is: $(PlatformSdkRegistryVersion)" Importance="normal"/>
                <Message Text="PlatformSdkBinPath is: $(PlatformSdkBinPath)" Importance="normal"/>
                <Message Text="SignToolPath is: $(SignToolPath)" Importance="normal"/>
  </Target>

  <Target Name="SignBundleEngine" DependsOnTargets="UsesSignTool">
    <Message Importance="high" Text="SignBundleEngine="@(SignBundleEngine)"" />
    <Exec Command=""$(SignToolPath)" sign /d "Foo  Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundleEngine)"" />
    <Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundleEngine)"" />
  </Target>

  <Target Name="SignBundle" DependsOnTargets="UsesSignTool">
    <Message Importance="high" Text="SignBundle="@(SignBundle)"" />
    <Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundle)"" />
    <Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundle)"" />
  </Target>

From: Steve De George [mailto:stevedegeorge at pivotalz.com]
Sent: Wednesday, September 6, 2017 12:11 PM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: Unknown publisher UAC in Windows 7 only




Win 7 machine is connected to the internet and is at least SP1. It is a test machine and has not been used in a few months so I am updating it now.



On the Windows 7 machine the Bundle shows dual signed certs in the 'Digital signatures' tab: SHA256 and SHA1

I use this powershell (run from TeamCity) script to sign everything. The MSI is signed in a different step and I checked and it's 'Digital signatures' tab shows SHA256




rem # --- extract the burn engine
"%env.wix%bin\insignia.exe" -ib "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- sign it
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- put it back into the bundle
"%env.wix%bin\insignia" -ab "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
rem # --- sign the bundle
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"




Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>
Sent: Wednesday, September 6, 2017 9:54:11 AM
To: WiX Toolset Users Mailing List
Cc: Steve De George
Subject: RE: Unknown publisher UAC in Windows 7 only

Is the Win 7 machine connected to the internet?  Has it had all the windows updates applied?

When you look at the bundle on the Win7 machine, what does the certificate look like?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Wednesday, September 6, 2017 11:35 AM
To: wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>
Cc: Steve De George <stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com>>
Subject: [wix-users] Unknown publisher UAC in Windows 7 only


Hi all.


I am having an issue with the elevated prompt showing 'Unknown' publisher from my burn engine.

Everything works fine in Windows Server 2008, 2012, 2016 and Windows 10. It only fails on Windows 7 SP1.


Both the burn engine and the bundle are signed with SHA256 and SHA1. The MSI is signed with SHA256 and looking at the properties of the installer you can see the digital signatures.


I have been trying to fix this for 2 days now. Why would it fail on Windows 7?

Anybody seen this before?


Thanks.


Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list