Default of Payload element SuppressSignatureVerification

[dan-olsen]

• Which version of WiX are you building with?

3.11.1.2318

• Which version of Visual Studio are you building with (if any)?

2017 v15.9.21

• Which version of the WiX Toolset Visual Studio Extension are you building with (if any)?

1.0.0.4

• Which version of .NET are you building with?

4.0

• If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?

Windows 7 and 10

• Describe the problem and the steps to reproduce it.

We have a msi with external cab files. The msi and the cab files are signed. The bundle chain definition for the package is below:

<Fragment>
<PackageGroup Id="PackageGroup">
<MsiPackage Id="MsiPackage"
Visible="no"
Compressed="no"
Vital="yes"
SuppressSignatureVerification="yes"
SourceFile="$(var.SourceDir)File.msi"
InstallCondition="Condition"
Name="File.msi">
</MsiPackage>
</PackageGroup>
</Fragment>

The cab files get picked up just fine automatically and on most machines the install is just fine. However, we recently tested on an older windows 7 machine and the following error occurred.

Error 0x00000532 WindowsInstaller (Package): A file that is required cannot be installed because the cabinet file C:\ProgramData\Package Cache\{GUID}vVersion\file.cab has an invalid digital signature.  This may indicate that the cabinet file is corrupt.
1330
C:\ProgramData\Package Cache\{GUID}vVersion\file.cab
24581
Error 0x80070643: Failed to install MSI package.
Error 0x80070643: Failed to execute MSI package.
Error 0x80070643: Failed to configure per-machine MSI package.
Vital package Package Name failed with status: -2147023293
Applied execute package: Package, result: 0x80070643, restart: None
Error 0x80070643: Failed to execute MSI package.

• Describe the behavior you expected and how it differed from the actual behavior.

I know this error is caused by the failure to verify the cab file's signature (in our case the machine was missing the root cert) but I know that for other elements (ExePackage, MsiPackage, MspPackage) the SuppressSignatureVerification setting is defaulted to "yes" but that doesn't appear to be the case for the Payload element. Is there a particular reason for this or could the default be changed to match the other elements?

I think I can solve this by specifying the cab files as payloads and setting the SuppressSignatureVerification setting to "yes" manually (not great because the cab files can change) I was just surprised that this wasn't already defaulted to "yes".

I don't know if this really a bug or feature request. I went with bug but I can rewrite it to a feature request if you want.

[robmen]

For support please contact the wix-users mailing list.

It is possible through discussion a specific bug in the WiX Toolset will be uncovered but usually someone can help you find the error in your .wxs code.

[dan-olsen]

I'm not looking for support per se. And I did search the mailing list before posting here.

I'm looking for an answer as to why the default for the SuppressSignatureVerification setting in all package elements is yes but it is no in the Payload element. I know it was changed in 3.9. Why was it not changed for the payload element? I figured it would be best to just ask you the developers this question directly.

[robmen]

I'm glad you searched the mailing list. Truly, thank you.

Maybe it's faster for you to open an issue in our tracker than to send an email to the mailing list where you searched. But issues create more work for us. So we choose not to provide support via issues in GitHub.

[dan-olsen]

I believe the documentation is wrong at https://wixtoolset.org/documentation/manual/v3/xsd/wix/payload.html. It says the default is it uses the Authenticode signature when in fact it uses the hash by default similar to all the other package elements.

I tested this with the following examples:

<Chain>
  <MsiPackage Id="Package" Compressed="no" SuppressSignatureVerification="yes" SourceFile="File.msi">
    <Payload SourceFile="file2.cab" Compressed="no" SuppressSignatureVerification="yes" />
  </MsiPackage>
</Chain>

Produced the following manifest

<Payload Id="Package" FilePath="File.msi" FileSize="..." Hash="..." Packaging="external" SourcePath="File.msi" />
<Payload Id="..." FilePath="file2.cab" FileSize="..." Hash="..." Packaging="external" SourcePath="file2.cab" />

Which was the same as if I left the SuppressSignatureVerification off of the MsiPackage and Payload elements.

and

<Chain>
  <MsiPackage Id="Package" Compressed="no" SuppressSignatureVerification="yes" SourceFile="File.msi">
    <Payload SourceFile="file2.cab" Compressed="no" SuppressSignatureVerification="no" />
  </MsiPackage>
</Chain>

Produced the following manifest

<Payload Id="Package" FilePath="File.msi" FileSize="..." Hash="..." CertificateRootPublicKeyIdentifier="..." CertificateRootThumbprint="..." Packaging="external" SourcePath="File.msi" />
<Payload Id="..." FilePath="file2.cab" FileSize="..." Hash="..." CertificateRootPublicKeyIdentifier="..." CertificateRootThumbprint="..." Packaging="external" SourcePath="file2.cab" />

This is where my confusion came from. The error I received I believe is coming from windows installer not burn which i will try asking about on the mailing list.

I can write a new issue for this if you agree that it is incorrect instead of using this one.

[barnson]

SuppressSignatureVerification defaults to yes everywhere.

[dan-olsen]

That's what I thought. Which is why I was really confused when I doubled checked the docs for the setting and saw the following and thought it wasn't defaulting to true.

By default, a Bundle will use a package's Authenticode signature to verify the contents. If the package does not have an Authenticode signature then the Bundle will use a hash of the package instead. Set this attribute to "yes" to suppress the default behavior and force the Bundle to always use the hash of the package even when the package is signed. 

[barnson]

Yes, it's a doc bug.