Sign Wixsharp dlls

[RachelXGanon]

Hi @oleg-shilo , I'm using WixSharp and WixSharp.bin nuget packages version 1.24.2 and I see that the following dlls are not digitally signed

WixSharp.UI.dll
WixSharp.UI.CA.dll
WixSharp.dll

For example:

Can you please provide the dlls signed?

Thx, Rachel

[oleg-shilo]

They are (WixSharp*.dll) signed already:

However, any files generated during the build or included by you can be signed as an explicit post-build step by setting project.SignAllFiles = true. Read about it here: https://github.com/oleg-shilo/wixsharp/wiki/Tips'n'Tricks#how-to-sign-all-wixsharp-dlls

[RachelXGanon]

Hi, I tried to setproject.SignAllFiles = true. but it throw error it is not supported for Managed type project.

[RachelXGanon]

Also, is it allowed to sign the wixsharp dlls with custom tool? usually it is not allowed to sign 3trd party dlls unless they specified it's allowed.

[oleg-shilo]

but it throw error it is not supported for Managed type project. I just tested and I do not see this error. In my test I do not have the certificate so understandably I got EXEC : SignTool error : No certificates were found that met all the given criteria.. But the msi is built correctly.

Make sure you are following Signing sample

is it allowed to sign the wixsharp DLLs

It's your choice. You can sign whatever you want to sign. Though WixSharp DLLs are already signed.

usually it is not allowed to sign 3trd party dlls unless they specified it's allowed.

I am not sure what you are referring to

[RachelXGanon]

Hi, here's an example to a signed dll

as you can see in yellow, there's a tab Digital Signature on the dll, entering this will provide more details on the sigature etc. But I don't have this in Wixsharp.

[oleg-shilo]

Rachel, it's hard for me to comment on the behaviour of your Windows Explorer extension - Digital Signatures tab.

I do not know what it is, I do not know what triggers the appearance of the tab. I can only guess that it is coming from the JetBrains dotPeek tool. Maybe it does not show the tab if the assembly is signed with a self-signed certificate. Maybe something else.

Though, what I do know:

• The WixSharp project has signing enabled.

• The ILSpy (the tool that roughly does what dotPeek do) correctly identifies that the assembly is signed.

• Signing was implemented a long time ago when one of the users asked for it. Since then there have been no reports about the signing problems.

So I am not sure what else can be done in the situation.

[RachelXGanon]

Hi, thanks for your response Oleg. Sign dll with a strong name is not same as sign dll with digital sigature.

Sign the installer with a strong name ensures the uniqueness of the assembly by associating it with a public/private key pair. This enables version control and ensures that the correct version of an assembly is loaded in .NET applications.

Sign dll with a digital signature adds a layer of security by certifying the origin of the assembly (the DLL) using a digital certificate. It prevent user from dll hijack, so user can't load dll code and change it.

There are few tools to sign, the common is SignTool.exe

[oleg-shilo]

OK, then we are talking about two different concepts. I indeed was referring to the "Strong Name Signing" while you are talking about "Digital Signing (Authenticode)".

So let's rewind the conversation to the start.

• WixSharp assemblies are all signed with strong name.
• None of WixSharp assemblies are digitally signed.

If you are interested in digitally signing WixSharp assembly then you will need to purchase a trusted certificate from CA and use it for signing.

You can follow the "Signing" sample and sign all binary files of your msi including all assemblies.

Hope this clarifies.

[RachelXGanon]

Yeah, right. For the installer *.msi I obviously do it. But the wixsharp dll is a third party dll, it's a bit problem from a legal concept that I'd sign it.

In the example above there's a Microsoft dll which I get after install the nuget package, is signed with digital sigature. Is there a way to add support for this, so installing the wixsharp nuget will provide dll signed with digital sigature?

Thanks!

[oleg-shilo]

Unfortunately no. WixSharp is an Open-Source initiative and it does not have a trusted certificate available for digitally signing its assemblies. Signing with Self-Signed Certificate is possible but it would not do you any good as it will not be trusted after you distribute it anyway.

[RachelXGanon]

Ok, thanks. Closing this issue.