[wix-users] Unknown publisher UAC in Windows 7 only

Hoover, Jacob Jacob.Hoover at greenheck.com
Thu Sep 7 07:51:45 PDT 2017


Silly question, have you tried a second Windows 7 machine?  Also, it's not the MSI that I am worrying about, it's the bundle.  If it shows a valid certificate in the file properties and you right click "run as admin" but Windows still shows an unknown publisher, then it has nothing to do with WiX.

From: Steve De George [mailto:stevedegeorge at pivotalz.com]
Sent: Thursday, September 7, 2017 9:48 AM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: Unknown publisher UAC in Windows 7 only


OK, I made it simple on my local dev machine. No more TeamCity

I compile the MSI is Visual studio release mode.

Then a batch file that is:


REM --- Sign
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "E:\repos\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "E:\repos\i2x.net\MSI Setups\i2xInstaller\bin\Release\i2xInstaller.msi"
REM --- verify
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" verify /pa "E:\repos\i2x.net\MSI Setups\i2xInstaller\bin\Release\i2xInstaller.msi"

Verify looks good.



Build my Burn engine in Visual studio and run another batch file

REM --- sign
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "E:\repos\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "E:\repos\i2x.net\MSI Setups\i2x Bootstrapper\bin\Release\i2xBootstrapper.exe"
REM --- verfiy
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" verify /pa "E:\repos\i2x.net\MSI Setups\i2x Bootstrapper\bin\Release\i2xBootstrapper.exe"

It installs on Win 10 and I see the signed cert in the elevated prompt. Still fails on the Win 7 SP1 test machine. I am loosing more hair. What is wrong with my code? I have verified I have the SHA256 update in Win 7.








Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org<mailto:wix-users-bounces at lists.wixtoolset.org>> on behalf of Steve De George via wix-users <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Sent: Wednesday, September 6, 2017 10:10:36 AM
To: Hoover, Jacob; WiX Toolset Users Mailing List
Cc: Steve De George
Subject: Re: [wix-users] Unknown publisher UAC in Windows 7 only


Win 7 machine is connected to the internet and is at least SP1. It is a test machine and has not been used in a few months so I am updating it now.


On the Windows 7 machine the Bundle shows dual signed certs in the 'Digital signatures' tab: SHA256 and SHA1

I use this powershell (run from TeamCity) script to sign everything. The MSI is signed in a different step and I checked and it's 'Digital signatures' tab shows SHA256



rem # --- extract the burn engine
"%env.wix%bin\insignia.exe" -ib "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- sign it
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- put it back into the bundle
"%env.wix%bin\insignia" -ab "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
rem # --- sign the bundle
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"



Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>
Sent: Wednesday, September 6, 2017 9:54:11 AM
To: WiX Toolset Users Mailing List
Cc: Steve De George
Subject: RE: Unknown publisher UAC in Windows 7 only

Is the Win 7 machine connected to the internet?  Has it had all the windows updates applied?

When you look at the bundle on the Win7 machine, what does the certificate look like?

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Wednesday, September 6, 2017 11:35 AM
To: wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>
Cc: Steve De George <stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com>>
Subject: [wix-users] Unknown publisher UAC in Windows 7 only


Hi all.


I am having an issue with the elevated prompt showing 'Unknown' publisher from my burn engine.

Everything works fine in Windows Server 2008, 2012, 2016 and Windows 10. It only fails on Windows 7 SP1.


Both the burn engine and the bundle are signed with SHA256 and SHA1. The MSI is signed with SHA256 and looking at the properties of the installer you can see the digital signatures.


I have been trying to fix this for 2 days now. Why would it fail on Windows 7?

Anybody seen this before?


Thanks.


Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/%3chttp:/www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list