[wix-users] Unknown publisher UAC in Windows 7 only
Tom Brezinski
tom.brezinski at ViaviSolutions.com
Thu Sep 7 04:16:04 PDT 2017
You said signed the MSI with SHA256. Since you cannot dual sign a MSI I usually sign it SHA1. The Microsoft SHA1 deprecation plan used to make that suggestion though now they have wiped all code signing info from that article.
This is going to be a really off the wall idea but have you tried turning off SmartScreen? Since you do not have an EV cert there is a slim chance that might be a factor.
-Tom
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Thursday, September 07, 2017 5:42 AM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Steve De George <stevedegeorge at pivotalz.com>
Subject: Re: [wix-users] Unknown publisher UAC in Windows 7 only
I finished upgrading my Win 7 machine but that made no difference. I also got my hands on another Win 7 machine and that has the same problem.
Just checked Win 8.1 and it works there OK.
I do not get it. On Win 7, in the properties digital signature tab it shows both SHA256 and SHA1 certs.
It works fine on Win 8.1 and 10, Server 2008, 2012, 2016.
I do not see how BuildTargets will change anything as it will use the SignTool command line tool.
Any other ideas?
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com>
Sent: Wednesday, September 6, 2017 11:54:11 AM
To: Steve De George; WiX Toolset Users Mailing List
Subject: RE: Unknown publisher UAC in Windows 7 only
I've always used the MSBuild targets:
<Target Name="UsesFrameworkSdk">
<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
<!-- Directories from installed software. - Stolen in part from https://github.com/wixtoolset/wix3/blob/develop/tools/WixBuild.props -->
<PropertyGroup>
<PotentialPlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot10', null, RegistryView.Registry64, RegistryView.Registry32))</PotentialPlatformSdkInstallPath>
<PlatformSdkInstallPath Condition=" '$(PotentialPlatformSdkInstallPath)'!='' and Exists('$(PotentialPlatformSdkInstallPath)\include\10.0.14393.0\um') ">$(PotentialPlatformSdkInstallPath)</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v10</PlatformSdkRegistryVersion>
<PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' and '$(PlatformSdkInstallPath)'!='' ">$(PlatformSdkInstallPath)\include\10.0.14393.0</PlatformSdkIncludeRoot>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot81', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.1</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.0</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.1A</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.0A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.0A</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup>
<PlatformSdkInstallPath Condition="!HasTrailingSlash('$(PlatformSdkInstallPath)')">$(PlatformSdkInstallPath)\</PlatformSdkInstallPath>
<PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' ">$(PlatformSdkInstallPath)include</PlatformSdkIncludeRoot>
<PlatformSdkIncludePath Condition=" '$(PlatformSdkIncludePath)'=='' ">$(PlatformSdkIncludeRoot)</PlatformSdkIncludePath>
<PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\shared') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\shared</PlatformSdkIncludePath>
<PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\um') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\um</PlatformSdkIncludePath>
<PlatformSdkBinPath>$(PlatformSdkInstallPath)bin\</PlatformSdkBinPath>
<PlatformSdkBinPath Condition=" Exists('$(PlatformSdkBinPath)x86') ">$(PlatformSdkBinPath)x86\</PlatformSdkBinPath>
</PropertyGroup>
</Target>
<Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
<PropertyGroup>
<SignToolPath Condition="('$(SignToolPath)'=='') and Exists('$(PlatformSdkBinPath)signtool.exe')">$(PlatformSdkBinPath)signtool.exe</SignToolPath>
</PropertyGroup>
<Message Text="PlatformSdkRegistryVersion is: $(PlatformSdkRegistryVersion)" Importance="normal"/>
<Message Text="PlatformSdkBinPath is: $(PlatformSdkBinPath)" Importance="normal"/>
<Message Text="SignToolPath is: $(SignToolPath)" Importance="normal"/>
</Target>
<Target Name="SignBundleEngine" DependsOnTargets="UsesSignTool">
<Message Importance="high" Text="SignBundleEngine="@(SignBundleEngine)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundleEngine)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundleEngine)"" />
</Target>
<Target Name="SignBundle" DependsOnTargets="UsesSignTool">
<Message Importance="high" Text="SignBundle="@(SignBundle)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundle)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundle)"" />
</Target>
From: Steve De George [mailto:stevedegeorge at pivotalz.com]
Sent: Wednesday, September 6, 2017 12:11 PM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: Unknown publisher UAC in Windows 7 only
Win 7 machine is connected to the internet and is at least SP1. It is a test machine and has not been used in a few months so I am updating it now.
On the Windows 7 machine the Bundle shows dual signed certs in the 'Digital signatures' tab: SHA256 and SHA1
I use this powershell (run from TeamCity) script to sign everything. The MSI is signed in a different step and I checked and it's 'Digital signatures' tab shows SHA256
rem # --- extract the burn engine
"%env.wix%bin\insignia.exe" -ib "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- sign it
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- put it back into the bundle
"%env.wix%bin\insignia" -ab "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
rem # --- sign the bundle
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>
Sent: Wednesday, September 6, 2017 9:54:11 AM
To: WiX Toolset Users Mailing List
Cc: Steve De George
Subject: RE: Unknown publisher UAC in Windows 7 only
Is the Win 7 machine connected to the internet? Has it had all the windows updates applied?
When you look at the bundle on the Win7 machine, what does the certificate look like?
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Wednesday, September 6, 2017 11:35 AM
To: wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>
Cc: Steve De George <stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com>>
Subject: [wix-users] Unknown publisher UAC in Windows 7 only
Hi all.
I am having an issue with the elevated prompt showing 'Unknown' publisher from my burn engine.
Everything works fine in Windows Server 2008, 2012, 2016 and Windows 10. It only fails on Windows 7 SP1.
Both the burn engine and the bundle are signed with SHA256 and SHA1. The MSI is signed with SHA256 and looking at the properties of the installer you can see the digital signatures.
I have been trying to fix this for 2 days now. Why would it fail on Windows 7?
Anybody seen this before?
Thanks.
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list