[wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

Tue Jun 9 20:56:55 PDT 2020

Hi,

I cannot open the google drive like at below email from rkamarowski at yahoo.com. Can you make it accessible?

Thanks,
Masato

-----Original Message-----
From: rkamarowski at yahoo.com <rkamarowski at yahoo.com> 
Sent: Friday, June 5, 2020 9:01 AM
To: 'WiX Toolset Users Mailing List' <wix-users at lists.wixtoolset.org>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: RE: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

I don't know if you received my previous message. The source files are here:

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Fdrive%2Ffolders%2F1Kk1OYVI1GGo33ZUu36GxLLxQafGaTymm%3Fusp&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C4b84dba7ff3e45289a1c08d80969a7ef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637269697153674551&sdata=dzgSwTzAxAqgoaDazunPN307Y%2BgdvzdGiNzTCLd%2FAhY%3D&reserved=0
=sharing

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Masato Maeda via wix-users
Sent: Monday, June 1, 2020 11:56 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

Hi,

I confirmed that manually stripped certificate made it worked. However our company still have a problem. We need to double code-sign all of open source code binaries. It allows only set of known certificates for digital signature even it comes from publicly trusted certificate authorities.
Embedded dll makes it difficult, and I think we shouldn't rebuild whole package with different signature. Is that possible to repack extension modules over released binaries?

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Blair Murri via wix-users
Sent: Sunday, May 31, 2020 2:32 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Cc: Blair Murri <osito at live.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

There was a bug open on that. It's because the engine shouldn't have been signed "before" all the containers are attached (and there will always be at least one attached during your build), as that invalidates the signature and prevents any new signatures.

Comments in the issue describe the workaround. It might have been fixed in v3.14, in which case the issue might be closed already.

Blair Murri

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Masato Maeda via wix-users <wix-users at lists.wixtoolset.org>
Sent: Wednesday, May 27, 2020 9:49:55 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>; Bob Arnson <bob at firegiant.com>
Cc: Masato Maeda <Masato.Maeda at microsoft.com>
Subject: Re: [wix-users] [EXTERNAL] Re: Code Integrity validation triggered at firewall.dll and winca.dll

I confirmed nested dlls such as firewall.dll and wixca.dll on v3.11.2 were signed.

After moved to v3.11.2, I see other issue that DLL generated by MakeSfxCA.exe shows bad-format issue when tries to sign it. Code signing doesn't work on the DLL. It didn't happen when used v3.10.3. Code Integrity looks packed DLLs and claimed it's not signed.

Thanks,
Masato

-----Original Message-----
From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of Edwin Castro via wix-users
Sent: Wednesday, May 27, 2020 12:22 PM
To: Bob Arnson <bob at firegiant.com>
Cc: Edwin Castro <egcastr at gmail.com>; WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation triggered at firewall.dll and winca.dll

I thought I got wix311-binaries.zip from https://github.com %2Fwixtoolset%2Fwix3%2Freleases&data=02%7C01%7Cmasato.maeda%40microsoft.
com%7Ce41f55b944bf41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C
1%7C0%7C637265576598641437&sdata=7YrMedOQ6iBy3WuOCda%2F1ZCkp7em2799TeBjY
LB51uA%3D&reserved=0.

I downloaded it and checked again and can confirm WiX v3.11.2 has signed custom action dlls.

Perhaps I downloaded the wrong version previously.

--
Edwin G. Castro

On Wed, May 27, 2020 at 6:22 AM Bob Arnson <bob at firegiant.com> wrote:

> If you got them from
https://github.com
%2Fwixtoolset&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6372655765
98641437&sdata=PLH9hHbaCzGzwuzF9eBz0oy1ChFDt8ZvyThzuRXZH48%3D&reserv
ed=0, they're signed.
>
> -----Original Message-----
> From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf Of 
> Edwin Castro via wix-users
> Sent: Wednesday, 27 May, 2020 00:33
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Cc: Edwin Castro <egcastr at gmail.com>
> Subject: Re: [wix-users] Code Integrity validation triggered at 
> firewall.dll and winca.dll
>
> There is no NugGet for WiX v3 but I'm fairly certain the native ca 
> dlls are not signed.
>
> I've decomposed the cab and wixlib for the extension dlls and was able 
> to confirm the ca dlls were not signed. Going off memory but I think I 
> found their version numbers to be older than I expected.
>
> I had not gotten around to filing a bug yet. I'll see about doing that 
> tonight or tomorrow.
>
> --
> Edwin G. Castro
>
> On Tue, May 26, 2020, 21:21 Rob Mensching via wix-users < 
> wix-users at lists.wixtoolset.org> wrote:
>
> > There is no NuGet for WiX v3.
> >
> > ---
> > Short replies here. Complete answers here:
> > https://ww
> > w.firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micr
> > osoft.com%7Ca00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2
> > d7cd011db47%7C1%7C0%7C637262042084568344&sdata=pky8CLxcg0Gvqc7Gv
> > MKeloAQppAzojoPJhcH8QMkQM4%3D&reserved=0
> >
> > -----Original Message-----
> > From: Masato Maeda <Masato.Maeda at microsoft.com>
> > Sent: Tuesday, May 26, 2020 8:58 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: RE: Code Integrity validation triggered at firewall.dll and 
> > winca.dll
> >
> > Nuget package is code signed but individual content of nuget such as 
> > EXEs and DLLs look like not code signed.
> > If a file is code signed, it should show "Digital Signatures" tab at 
> > properties view of the file. For example, firewall.dll and winca.dll 
> > are not code signed.
> >
> > Thanks,
> > Masato
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Rob Mensching via wix-users
> > Sent: Tuesday, May 26, 2020 8:17 PM
> > To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> > Cc: Rob Mensching <rob at firegiant.com>
> > Subject: [EXTERNAL] Re: [wix-users] Code Integrity validation 
> > triggered at firewall.dll and winca.dll
> >
> > Those files are signed in WiX v3.11.2
> >
> > ---
> > Short replies here. Complete answers here:
> > https://www.
> > firegiant.com%2Fservices%2F&data=02%7C01%7CMasato.Maeda%40micros
> > of
> > t.com%7C45b4e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd
> > 01
> > 1db47%7C1%7C0%7C637261462231359029&sdata=8St%2FaHYta9%2BjV7uQ8vn
> > Pm
> > zWhcYgYRTAq2OIuKWndfaA%3D&reserved=0
> >
> > -----Original Message-----
> > From: wix-users <wix-users-bounces at lists.wixtoolset.org> On Behalf 
> > Of Masato Maeda via wix-users
> > Sent: Tuesday, May 26, 2020 8:14 PM
> > To: wix-users at lists.wixtoolset.org
> > Cc: Masato Maeda <Masato.Maeda at microsoft.com>
> > Subject: [wix-users] Code Integrity validation triggered at 
> > firewall.dll and winca.dll
> >
> > Hi,
> >
> > Our team is using Wix Toolset to build MSI. There is high security 
> > Microsoft Windows environment with enhanced Code Integrity policy.
> > All deploying binaries must be code signed. This includes temporary 
> > DLL that runs during custom action execution. I have signed 
> > CustomActionLibrary before and after run MakeSfxCA.exe. But native 
> > extension libraries caused integrity error such as firewall.dll and 
> > winca.dll. Is there a way to repack them after digitally signed?
> >
> > Thanks,
> > Masato
> >
> >
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant http://www 
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231359029&sdata=QtczUva0IxNBpnhyglNAasY5dRI4fEAkC8H
> > WP
> > %2BfWdHg%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant http://www 
> > .f%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf
> > 41226e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> > 7265576598651436&sdata=HSjJittyGV9Xyqv8pyHt0Aw49C09dGJcHq%2B70J7
> > StuA%3D&reserved=0
> > iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C45
> > b4
> > e6df42f44ff5033508d801ec6c8b%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C
> > 0%7C637261462231369025&sdata=mX2fxT%2F11vsHHT1P0A0PcI9Bk27P6tHgJ
> > KQ
> > jFzTgUME%3D&reserved=0
> >
> > ____________________________________________________________________
> > WiX Toolset Users Mailing List provided by FireGiant http://www 
> > .firegiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C
> > a00ebe0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%
> > 7C1%7C0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6F
> > GVPLhtd5aohQoqVg%3D&reserved=0
> >
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.f
> %2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C4b84dba7ff3e4528
> 9a1c08d80969a7ef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726969
> 7153674551&sdata=bvqp8qHHdMcs3xxFacINK2a8q1zEJ%2FEGj0OwJa9Uahk%3D&
> amp;reserved=0 
> iregiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7Ca00e
> be0e8dde4190305408d80273497a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C
> 0%7C637262042084568344&sdata=H%2BzdijbLA3BLxl0uUp12uKEWR6FGVPLhtd5
> aohQoqVg%3D&reserved=0
>

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegia
nt.com%2F&data=02%7C01%7Cmasato.maeda%40microsoft.com%7Ce41f55b944bf4122
6e6e08d805aa2126%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726557659865
1436&sdata=7m9H4bJwdJxSYE37IturXuEEsKX%2FwJUvWfa39zQEcsg%3D&reserved
=0

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.firegiant.com%2F&data=02%7C01%7CMasato.Maeda%40microsoft.com%7C4b84dba7ff3e45289a1c08d80969a7ef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637269697153674551&sdata=MphPEHa8q7OpAtHpRP1YZyNrOXNkVrgqP6KTrAvB2FE%3D&reserved=0