[wix-users] Unknown publisher UAC in Windows 7 only
Steve De George
stevedegeorge at pivotalz.com
Thu Sep 7 05:50:46 PDT 2017
I just changed the /t to /tr for the timestamp (verified it went to RFC3161) and it still does not work.
Not worried about older OS's as our minimum is Windows 7 SP1.
What is so confusing here is that Win 7 says it is signed. (Properties, digital signatures) and it works on all other tested OS's. My head hurts...
Thanks Tom.
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: Tom Brezinski <tom.brezinski at ViaviSolutions.com>
Sent: Thursday, September 7, 2017 5:41:04 AM
To: Steve De George; WiX Toolset Users Mailing List; Hoover, Jacob
Subject: RE: Unknown publisher UAC in Windows 7 only
You should not need a SHA1 cert. To my knowledge SHA1 cert is only needed for kernel mode drivers on Vista. It just was not clear you were signing it SHA1 from what you said.
On the MSI signature you used /t for the timestamp right? I know you can use /tr to do a SHA-1 with RFC3161 but I tried it once and it did not work on some older OSes.
Other than that I am running out of ideas. Might try contacting your certificate vendor.
-Tom
From: Steve De George [mailto:stevedegeorge at pivotalz.com]
Sent: Thursday, September 07, 2017 6:37 AM
To: Tom Brezinski <tom.brezinski at ViaviSolutions.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Hoover, Jacob <Jacob.Hoover at greenheck.com>
Subject: Re: Unknown publisher UAC in Windows 7 only
Hi Tom
My MSI is signed with SHA256 cert but uses /fd sha1 so it ends up being SHA1 when I look at the digital signature. Do i need a SHA1 cert?
Just turned off Win Defender (as it is Win 7) but that made no difference.
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/>
________________________________
From: Tom Brezinski <tom.brezinski at ViaviSolutions.com<mailto:tom.brezinski at ViaviSolutions.com>>
Sent: Thursday, September 7, 2017 4:16:04 AM
To: WiX Toolset Users Mailing List; Hoover, Jacob
Cc: Steve De George
Subject: RE: Unknown publisher UAC in Windows 7 only
You said signed the MSI with SHA256. Since you cannot dual sign a MSI I usually sign it SHA1. The Microsoft SHA1 deprecation plan used to make that suggestion though now they have wiped all code signing info from that article.
This is going to be a really off the wall idea but have you tried turning off SmartScreen? Since you do not have an EV cert there is a slim chance that might be a factor.
-Tom
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Thursday, September 07, 2017 5:42 AM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Cc: Steve De George <stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com>>
Subject: Re: [wix-users] Unknown publisher UAC in Windows 7 only
I finished upgrading my Win 7 machine but that made no difference. I also got my hands on another Win 7 machine and that has the same problem.
Just checked Win 8.1 and it works there OK.
I do not get it. On Win 7, in the properties digital signature tab it shows both SHA256 and SHA1 certs.
It works fine on Win 8.1 and 10, Server 2008, 2012, 2016.
I do not see how BuildTargets will change anything as it will use the SignTool command line tool.
Any other ideas?
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>
Sent: Wednesday, September 6, 2017 11:54:11 AM
To: Steve De George; WiX Toolset Users Mailing List
Subject: RE: Unknown publisher UAC in Windows 7 only
I've always used the MSBuild targets:
<Target Name="UsesFrameworkSdk">
<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
<!-- Directories from installed software. - Stolen in part from https://github.com/wixtoolset/wix3/blob/develop/tools/WixBuild.props -->
<PropertyGroup>
<PotentialPlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot10', null, RegistryView.Registry64, RegistryView.Registry32))</PotentialPlatformSdkInstallPath>
<PlatformSdkInstallPath Condition=" '$(PotentialPlatformSdkInstallPath)'!='' and Exists('$(PotentialPlatformSdkInstallPath)\include\10.0.14393.0\um') ">$(PotentialPlatformSdkInstallPath)</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v10</PlatformSdkRegistryVersion>
<PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' and '$(PlatformSdkInstallPath)'!='' ">$(PlatformSdkInstallPath)\include\10.0.14393.0</PlatformSdkIncludeRoot>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots', 'KitsRoot81', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.1</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v8.0</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.1A</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(PlatformSdkInstallPath)'=='' ">
<PlatformSdkInstallPath>$([MSBuild]::GetRegistryValueFromView('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.0A', 'InstallationFolder', null, RegistryView.Registry64, RegistryView.Registry32))</PlatformSdkInstallPath>
<PlatformSdkRegistryVersion Condition=" '$(PlatformSdkInstallPath)'!='' ">v7.0A</PlatformSdkRegistryVersion>
</PropertyGroup>
<PropertyGroup>
<PlatformSdkInstallPath Condition="!HasTrailingSlash('$(PlatformSdkInstallPath)')">$(PlatformSdkInstallPath)\</PlatformSdkInstallPath>
<PlatformSdkIncludeRoot Condition=" '$(PlatformSdkIncludeRoot)'=='' ">$(PlatformSdkInstallPath)include</PlatformSdkIncludeRoot>
<PlatformSdkIncludePath Condition=" '$(PlatformSdkIncludePath)'=='' ">$(PlatformSdkIncludeRoot)</PlatformSdkIncludePath>
<PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\shared') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\shared</PlatformSdkIncludePath>
<PlatformSdkIncludePath Condition=" Exists('$(PlatformSdkIncludeRoot)\um') ">$(PlatformSdkIncludePath);$(PlatformSdkIncludeRoot)\um</PlatformSdkIncludePath>
<PlatformSdkBinPath>$(PlatformSdkInstallPath)bin\</PlatformSdkBinPath>
<PlatformSdkBinPath Condition=" Exists('$(PlatformSdkBinPath)x86') ">$(PlatformSdkBinPath)x86\</PlatformSdkBinPath>
</PropertyGroup>
</Target>
<Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
<PropertyGroup>
<SignToolPath Condition="('$(SignToolPath)'=='') and Exists('$(PlatformSdkBinPath)signtool.exe')">$(PlatformSdkBinPath)signtool.exe</SignToolPath>
</PropertyGroup>
<Message Text="PlatformSdkRegistryVersion is: $(PlatformSdkRegistryVersion)" Importance="normal"/>
<Message Text="PlatformSdkBinPath is: $(PlatformSdkBinPath)" Importance="normal"/>
<Message Text="SignToolPath is: $(SignToolPath)" Importance="normal"/>
</Target>
<Target Name="SignBundleEngine" DependsOnTargets="UsesSignTool">
<Message Importance="high" Text="SignBundleEngine="@(SignBundleEngine)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundleEngine)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundleEngine)"" />
</Target>
<Target Name="SignBundle" DependsOnTargets="UsesSignTool">
<Message Importance="high" Text="SignBundle="@(SignBundle)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /t http://timestamp.digicert.com /sha1 $(Sha1) /a "@(SignBundle)"" />
<Exec Command=""$(SignToolPath)" sign /d "Foo Setup" /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 $(Sha256) /a "@(SignBundle)"" />
</Target>
From: Steve De George [mailto:stevedegeorge at pivotalz.com]
Sent: Wednesday, September 6, 2017 12:11 PM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com>>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org>>
Subject: Re: Unknown publisher UAC in Windows 7 only
Win 7 machine is connected to the internet and is at least SP1. It is a test machine and has not been used in a few months so I am updating it now.
On the Windows 7 machine the Bundle shows dual signed certs in the 'Digital signatures' tab: SHA256 and SHA1
I use this powershell (run from TeamCity) script to sign everything. The MSI is signed in a different step and I checked and it's 'Digital signatures' tab shows SHA256
rem # --- extract the burn engine
"%env.wix%bin\insignia.exe" -ib "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- sign it
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe"
rem # --- put it back into the bundle
"%env.wix%bin\insignia" -ab "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\engine.exe" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe" -o "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
rem # --- sign the bundle
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha1 /t http://timestamp.comodoca.com /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
signtool.exe sign /f "%system.teamcity.build.checkoutDir%\NGS Code Signing Cert 2015.pfx" /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /d "i2x for Quickbooks" /du "http://www.nextgensoftware.com" "%system.teamcity.build.checkoutDir%\i2x.net\MSI Setups\i2x Bootstrapper\bin\release\%env.output_file_name% Setup v%env.PATCH_TC_i2xVer%-%build.number%.exe"
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>
________________________________
From: Hoover, Jacob <Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com<mailto:Jacob.Hoover at greenheck.com%3cmailto:Jacob.Hoover at greenheck.com>>>
Sent: Wednesday, September 6, 2017 9:54:11 AM
To: WiX Toolset Users Mailing List
Cc: Steve De George
Subject: RE: Unknown publisher UAC in Windows 7 only
Is the Win 7 machine connected to the internet? Has it had all the windows updates applied?
When you look at the bundle on the Win7 machine, what does the certificate look like?
-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Steve De George via wix-users
Sent: Wednesday, September 6, 2017 11:35 AM
To: wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org<mailto:wix-users at lists.wixtoolset.org%3cmailto:wix-users at lists.wixtoolset.org>>
Cc: Steve De George <stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com<mailto:stevedegeorge at pivotalz.com%3cmailto:stevedegeorge at pivotalz.com>>>
Subject: [wix-users] Unknown publisher UAC in Windows 7 only
Hi all.
I am having an issue with the elevated prompt showing 'Unknown' publisher from my burn engine.
Everything works fine in Windows Server 2008, 2012, 2016 and Windows 10. It only fails on Windows 7 SP1.
Both the burn engine and the bundle are signed with SHA256 and SHA1. The MSI is signed with SHA256 and looking at the properties of the installer you can see the digital signatures.
I have been trying to fix this for 2 days now. Why would it fail on Windows 7?
Anybody seen this before?
Thanks.
Steve De George - Pivotal Z / NextGen Software, Inc.
253-656-4061
www.pivotalz.com<http://www.pivotalz.com/>
www.nextgensoftware.com<http://www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/<http://www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/%3chttp:/www.nextgensoftware.com%3chttp:/www.nextgensoftware.com/>>>
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users
mailing list