[wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

Masato Maeda Masato.Maeda at microsoft.com
Mon Jun 1 08:55:38 PDT 2020 

Hi,

I confirmed that manually stripped certificate made it worked. However our company still have a problem. We need to double code-sign all of open source code binaries. It allows only set of known certificates for digital signature even it comes from publicly trusted certificate authorities. Embedded dll makes it difficult, and I think we shouldn't rebuild whole package with different signature. Is that possible to repack extension modules over released binaries?

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Blair Murri via wix-users
Sent: Sunday, May 31, 2020 2:32 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Blair Murri <osito at live.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

There was a bug open on that. It's because the engine shouldn't have been signed "before" all the containers are attached (and there will always be at least one attached during your build), as that invalidates the signature and prevents any new signatures.

Comments in the issue describe the workaround. It might have been fixed in v3.14, in which case the issue might be closed already.

Blair Murri

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Masato Maeda via wix-users <wix-users at lists.wixtoolset.org>
Sent: Wednesday, May 27, 2020 9:49:55 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Bob Arnson <bob at firegiant.com>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

I confirmed nested dlls such as firewall.dll and wixca.dll on v3.11.2 were signed.

After moved to v3.11.2, I see other issue that DLL generated by MakeSfxCA.exe shows bad-format issue when tries to sign it. Code signing doesn't work on the DLL. It didn't happen when used v3.10.3. Code Integrity looks packed DLLs and claimed it's not signed.

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Edwin Castro via wix-users
Sent: Wednesday, May 27, 2020 12:22 PM
To: Bob Arnson <bob at firegiant.com>
Cc: Edwin Castro <egcastr at gmail.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation triggered at firewall.dll and winca.dll

I thought I got wix311-binaries.zip from https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset%2Fwix3%2Freleases&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637265576598641437&sdata=7YrMedOQ6iBy3WuOCda%2F1ZCkp7em2799TeBjYLB51uA%3D&reserved=0.

I downloaded it and checked again and can confirm WiX v3.11.2 has signed custom action dlls.

Perhaps I downloaded the wrong version previously.

--
Edwin G. Castro


On Wed, May 27, 2020 at 6:22 AM Bob Arnson <bob at firegiant.com> wrote:

> If you got them from https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fwixtoolset&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637265576598641437&sdata=PLH9hHbaCzGzwuzF9eBz0oy1ChFDt8ZvyThzuRXZH48%3D&reserved=0, they're signed.
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of 
> Edwin Castro via wix-users
> Sent: Wednesday, 27 May, 2020 00:33
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Edwin Castro <egcastr at gmail.com>
> Subject: Re: [wix-users] Code Integrity validation triggered at 
> firewall.dll and winca.dll
>
> There is no NugGet for WiX v3 but I'm fairly certain the native ca 
> dlls are not signed.
>
> I've decomposed the cab and wixlib for the extension dlls and was able 
> to confirm the ca dlls were not signed. Going off memory but I think I 
> found their version numbers to be older than I expected.
>
> I had not gotten around to filing a bug yet. I'll see about doing that 
> tonight or tomorrow.
>
> --
> Edwin G. Castro
>
> On Tue, May 26, 2020, 21:21 Rob Mensching via wix-users < 
> wix-users at lists.wixtoolset.org> wrote:
>
> > There is no NuGet for WiX v3.
> >
> > ---
> > Short replies here. Complete answers here:
> > https://ww
> > w.firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micr
> > osoft.com%7Ca00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2
> > d7cd011db47%7C1%7C0%7C637262042084568344&sdata=pky8CLxcg0Gvqc7Gv
> > MKeloAQppAzojoPJhcH8QMkQM4%3D&reserved=0
> >
> > -----Original Message-----
> > From: Masato Maeda <Masato.Maeda at microsoft.com>
> > Sent: Tuesday, May 26, 2020 8:58 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: RE: Code Integrity validation triggered at firewall.dll and 
> > winca.dll
> >
> > Nuget package is code signed but individual content of nuget such as 
> > EXEs and DLLs look like not code signed.
> > If a file is code signed, it should show "Digital Signatures" tab at 
> > properties view of the file. For example, firewall.dll and winca.dll 
> > are not code signed.
> >
> > Thanks,
> > Masato
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Rob Mensching via wix-users
> > Sent: Tuesday, May 26, 2020 8:17 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation 
> > triggered at firewall.dll and winca.dll
> >
> > Those files are signed in WiX v3.11.2
> >
> > ---
> > Short replies here. Complete answers here:
> > https://www.
> > firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micros
> > of
> > t.com%7C45b4e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd
> > 01
> > 1db47%7C1%7C0%7C637261462231359029&sdata=8St%2FaHYta9%2BjV7uQ8vn
> > Pm
> > zWhcYgYRTAq2OIuKWndfaA%3D&reserved=0
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Masato Maeda via wix-users
> > Sent: Tuesday, May 26, 2020 8:14 PM
> > To: wix-users at lists.wixtoolset.org
> > Cc: Masato Maeda <Masato.Maeda at microsoft.com>
> > Subject: [wix-users] Code Integrity validation triggered at 
> > firewall.dll and winca.dll
> >
> > Hi,
> >
> > Our team is using Wix Toolset to build MSI. There is high security 
> > Microsoft Windows environment with enhanced Code Integrity policy.
> > All deploying binaries must be code signed. This includes temporary 
> > DLL that runs during custom action execution. I have signed 
> > CustomActionLibrary before and after run MakeSfxCA.exe. But native 
> > extension libraries caused integrity error such as firewall.dll and 
> > winca.dll. Is there a way to repack them after digitally signed?
> >
> > Thanks,
> > Masato
> >
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231359029&sdata=QtczUva0IxNBpnhyglNAasY5dRI4fEAkC8H
> > WP
> > %2BfWdHg%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231369025&sdata=mX2fxT%2F11vsHHT1P0A0PcI9Bk27P6tHgJ
> > KQ
> > jFzTgUME%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant http://www 
> > .firegiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C
> > a00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6F
> > GVPLhtd5aohQoqVg%3D&reserved=0
> >
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant http://www.f 
> iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7Ca00e
> be0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C
> 0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6FGVPLhtd5
> aohQoqVg%3D&reserved=0
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637265576598651436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637265576598651436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637265576598651436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved=0

More information about the wix-users mailing list