[wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

rkamarowski at yahoo.com rkamarowski at yahoo.com
Fri Jun 5 09:01:02 PDT 2020 

I don't know if you received my previous message. The source files are here:

https://drive.google.com/drive/folders/1Kk1OYVI1GGo33ZUu36GxLLxQafGaTymm?usp
=sharing



-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Masato
Maeda via wix-users
Sent: Monday, June 1, 2020 11:56 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered
at firewall.dll and winca.dll

Hi,

I confirmed that manually stripped certificate made it worked. However our
company still have a problem. We need to double code-sign all of open source
code binaries. It allows only set of known certificates for digital
signature even it comes from publicly trusted certificate authorities.
Embedded dll makes it difficult, and I think we shouldn't rebuild whole
package with different signature. Is that possible to repack extension
modules over released binaries?

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Blair
Murri via wix-users
Sent: Sunday, May 31, 2020 2:32 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Blair Murri <osito at live.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered
at firewall.dll and winca.dll

There was a bug open on that. It's because the engine shouldn't have been
signed "before" all the containers are attached (and there will always be at
least one attached during your build), as that invalidates the signature and
prevents any new signatures.

Comments in the issue describe the workaround. It might have been fixed in
v3.14, in which case the issue might be closed already.

Blair Murri

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Masato
Maeda via wix-users <wix-users at lists.wixtoolset.org>
Sent: Wednesday, May 27, 2020 9:49:55 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Bob
Arnson <bob at firegiant.com>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered
at firewall.dll and winca.dll

I confirmed nested dlls such as firewall.dll and wixca.dll on v3.11.2 were
signed.

After moved to v3.11.2, I see other issue that DLL generated by
MakeSfxCA.exe shows bad-format issue when tries to sign it. Code signing
doesn't work on the DLL. It didn't happen when used v3.10.3. Code Integrity
looks packed DLLs and claimed it's not signed.

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Edwin
Castro via wix-users
Sent: Wednesday, May 27, 2020 12:22 PM
To: Bob Arnson <bob at firegiant.com>
Cc: Edwin Castro <egcastr at gmail.com>; WiX Toolset Users Mailing List
<wix-users at lists.wixtoolset.org>
Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation triggered at
firewall.dll and winca.dll

I thought I got wix311-binaries.zip from
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com
%2Fwixtoolset%2Fwix3%2Freleases&data=02%7C01%7Cmasato.maeda%40microsoft.
com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C
1%7C0%7C637265576598641437&sdata=7YrMedOQ6iBy3WuOCda%2F1ZCkp7em2799TeBjY
LB51uA%3D&reserved=0.

I downloaded it and checked again and can confirm WiX v3.11.2 has signed
custom action dlls.

Perhaps I downloaded the wrong version previously.

--
Edwin G. Castro


On Wed, May 27, 2020 at 6:22 AM Bob Arnson <bob at firegiant.com> wrote:

> If you got them from
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com
%2Fwixtoolset&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6372655765
98641437&sdata=PLH9hHbaCzGzwuzF9eBz0oy1ChFDt8ZvyThzuRXZH48%3D&reserv
ed=0, they're signed.
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of 
> Edwin Castro via wix-users
> Sent: Wednesday, 27 May, 2020 00:33
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Edwin Castro <egcastr at gmail.com>
> Subject: Re: [wix-users] Code Integrity validation triggered at 
> firewall.dll and winca.dll
>
> There is no NugGet for WiX v3 but I'm fairly certain the native ca 
> dlls are not signed.
>
> I've decomposed the cab and wixlib for the extension dlls and was able 
> to confirm the ca dlls were not signed. Going off memory but I think I 
> found their version numbers to be older than I expected.
>
> I had not gotten around to filing a bug yet. I'll see about doing that 
> tonight or tomorrow.
>
> --
> Edwin G. Castro
>
> On Tue, May 26, 2020, 21:21 Rob Mensching via wix-users < 
> wix-users at lists.wixtoolset.org> wrote:
>
> > There is no NuGet for WiX v3.
> >
> > ---
> > Short replies here. Complete answers here:
> > https://ww
> > w.firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micr
> > osoft.com%7Ca00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2
> > d7cd011db47%7C1%7C0%7C637262042084568344&sdata=pky8CLxcg0Gvqc7Gv
> > MKeloAQppAzojoPJhcH8QMkQM4%3D&reserved=0
> >
> > -----Original Message-----
> > From: Masato Maeda <Masato.Maeda at microsoft.com>
> > Sent: Tuesday, May 26, 2020 8:58 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: RE: Code Integrity validation triggered at firewall.dll and 
> > winca.dll
> >
> > Nuget package is code signed but individual content of nuget such as 
> > EXEs and DLLs look like not code signed.
> > If a file is code signed, it should show "Digital Signatures" tab at 
> > properties view of the file. For example, firewall.dll and winca.dll 
> > are not code signed.
> >
> > Thanks,
> > Masato
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Rob Mensching via wix-users
> > Sent: Tuesday, May 26, 2020 8:17 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation 
> > triggered at firewall.dll and winca.dll
> >
> > Those files are signed in WiX v3.11.2
> >
> > ---
> > Short replies here. Complete answers here:
> > https://www.
> > firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micros
> > of
> > t.com%7C45b4e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd
> > 01
> > 1db47%7C1%7C0%7C637261462231359029&sdata=8St%2FaHYta9%2BjV7uQ8vn
> > Pm
> > zWhcYgYRTAq2OIuKWndfaA%3D&reserved=0
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Masato Maeda via wix-users
> > Sent: Tuesday, May 26, 2020 8:14 PM
> > To: wix-users at lists.wixtoolset.org
> > Cc: Masato Maeda <Masato.Maeda at microsoft.com>
> > Subject: [wix-users] Code Integrity validation triggered at 
> > firewall.dll and winca.dll
> >
> > Hi,
> >
> > Our team is using Wix Toolset to build MSI. There is high security 
> > Microsoft Windows environment with enhanced Code Integrity policy.
> > All deploying binaries must be code signed. This includes temporary 
> > DLL that runs during custom action execution. I have signed 
> > CustomActionLibrary before and after run MakeSfxCA.exe. But native 
> > extension libraries caused integrity error such as firewall.dll and 
> > winca.dll. Is there a way to repack them after digitally signed?
> >
> > Thanks,
> > Masato
> >
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231359029&sdata=QtczUva0IxNBpnhyglNAasY5dRI4fEAkC8H
> > WP
> > %2BfWdHg%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant 
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231369025&sdata=mX2fxT%2F11vsHHT1P0A0PcI9Bk27P6tHgJ
> > KQ
> > jFzTgUME%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant http://www 
> > .firegiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C
> > a00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6F
> > GVPLhtd5aohQoqVg%3D&reserved=0
> >
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant http://www.f 
> iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7Ca00e
> be0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C
> 0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6FGVPLhtd5
> aohQoqVg%3D&reserved=0
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
http://www.firegiant.com/

More information about the wix-users mailing list