Closed dan-olsen closed 3 years ago
For support please contact the wix-users mailing list.
It is possible through discussion a specific bug in the WiX Toolset will be uncovered but usually someone can help you find the error in your .wxs code.
I'm not looking for support per se. And I did search the mailing list before posting here.
I'm looking for an answer as to why the default for the SuppressSignatureVerification setting in all package elements is yes but it is no in the Payload element. I know it was changed in 3.9. Why was it not changed for the payload element? I figured it would be best to just ask you the developers this question directly.
I'm glad you searched the mailing list. Truly, thank you.
Maybe it's faster for you to open an issue in our tracker than to send an email to the mailing list where you searched. But issues create more work for us. So we choose not to provide support via issues in GitHub.
I believe the documentation is wrong at https://wixtoolset.org/documentation/manual/v3/xsd/wix/payload.html. It says the default is it uses the Authenticode signature when in fact it uses the hash by default similar to all the other package elements.
I tested this with the following examples:
<Chain>
<MsiPackage Id="Package" Compressed="no" SuppressSignatureVerification="yes" SourceFile="File.msi">
<Payload SourceFile="file2.cab" Compressed="no" SuppressSignatureVerification="yes" />
</MsiPackage>
</Chain>
Produced the following manifest
<Payload Id="Package" FilePath="File.msi" FileSize="..." Hash="..." Packaging="external" SourcePath="File.msi" />
<Payload Id="..." FilePath="file2.cab" FileSize="..." Hash="..." Packaging="external" SourcePath="file2.cab" />
Which was the same as if I left the SuppressSignatureVerification off of the MsiPackage and Payload elements.
and
<Chain>
<MsiPackage Id="Package" Compressed="no" SuppressSignatureVerification="yes" SourceFile="File.msi">
<Payload SourceFile="file2.cab" Compressed="no" SuppressSignatureVerification="no" />
</MsiPackage>
</Chain>
Produced the following manifest
<Payload Id="Package" FilePath="File.msi" FileSize="..." Hash="..." CertificateRootPublicKeyIdentifier="..." CertificateRootThumbprint="..." Packaging="external" SourcePath="File.msi" />
<Payload Id="..." FilePath="file2.cab" FileSize="..." Hash="..." CertificateRootPublicKeyIdentifier="..." CertificateRootThumbprint="..." Packaging="external" SourcePath="file2.cab" />
This is where my confusion came from. The error I received I believe is coming from windows installer not burn which i will try asking about on the mailing list.
I can write a new issue for this if you agree that it is incorrect instead of using this one.
SuppressSignatureVerification
defaults to yes
everywhere.
That's what I thought. Which is why I was really confused when I doubled checked the docs for the setting and saw the following and thought it wasn't defaulting to true.
By default, a Bundle will use a package's Authenticode signature to verify the contents. If the package does not have an Authenticode signature then the Bundle will use a hash of the package instead. Set this attribute to "yes" to suppress the default behavior and force the Bundle to always use the hash of the package even when the package is signed.
Yes, it's a doc bug.
I think I can solve this by specifying the cab files as payloads and setting the SuppressSignatureVerification setting to "yes" manually (not great because the cab files can change) I was just surprised that this wasn't already defaulted to "yes".
I don't know if this really a bug or feature request. I went with bug but I can rewrite it to a feature request if you want.