[wix-users] zip slip and WiX toolset

Rob Mensching rob at firegiant.com
Thu Oct 4 09:49:44 PDT 2018


It is a bit of a racket but it is also "better than nothing".

Signing is very important to ensure that a "bad guy" doesn't pass off "bad stuff" as your product. Less important for internal use. Much more important if sharing software over the internet.

Signing can also help survive smart screening.

_____________________________________________________________
 Short replies here. Complete answers over there: http://www.firegiant.com/

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Christopher Painter via wix-users
Sent: Wednesday, September 26, 2018 1:10 PM
To: Hoover, Jacob <Jacob.Hoover at greenheck.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Edwin Castro <egcastr at gmail.com>
Cc: Christopher Painter <chrpai at iswix.com>
Subject: Re: [wix-users] zip slip and WiX toolset

True, but let's be honest... how many people just click OK?    And how many people really do LUAPatching?      

Everywhere that I've ever worked, non-administrators can install stuff (MSI or not)  via tools like SCCM Software Center.  Users with admin rights just download and click next next next....

If it makes someone feel better to look at my MSI and see that it's signed, great!   But honestly there was a period if several years where I didn't bother because they made it so f* hard to get my cert renewed.  I didn't get one single complaint.   Now I sign again... for the next couple years that it is.  If renewing my cert goes well I'll keep doing it.   Otherwise it all feels like a $$$ racket to me.    Someone is trusting Microsoft to trust some root to trust some intermediary to trust some company who trusts some reseller that I really am me. Hmmm ok.  Better than nothing I guess.


More information about the wix-users mailing list