Hi Chris, I just wanted to give a different perspective here too. I am an application repackager rather than a software developer, and so I see this from the point of view of large corporates who may want to deploy your software automatically, i.e. your customers!
It's fine to have a requirement for a serial number to be available at setup-time, but please don't do anything to ensure it is entered manually, companies need to do silent installs so must be able to supply the serial number on the command line or via an MST. Also, companies will frequently use the same serial number for all of their installations, and manage the actual number of licenses that they have separately, so it would be best that you don't do any kind of authentication of the number of uses that each license has had, just that it is a valid code. I know that may sound like an invitation to software pirates to reuse your license codes, but there's really no way for an app deployed with say SMS to assign a different license code for each machine. Not ideal for you I know, but I just wanted to point out this scenario and make sure you are aware of it and consider it in your decision. Also, whilst I can understand Eitan's recommendation below from the view of securing your software, I really wouldn't suggest you use several Custom Actions and try to hide what you're up to within them. From the corporate perspective this is a real pain, and you could just be asked to do another version of your MSI with this disabled, or to provide a work-around, such as a Property that can be set to disable it. What I think is best is that rather than doing all of your licensing checks during the install, you just provide the ability to set a license code during the install, and then you check whether or not the app is licensed on the machine when it is launched. If it is not then you can ask for a license key to be entered - though assuming the user won't have admin rights, that will restrict you to per-user licenses being entered at launch-time. Anyway, sorry to go on, and I know this is a total contrast to what most of the software developers on this list would like to see done, but I just thought that this other view made it even more useful to post! Lastly, and on a different note, I'd just like to add to Eitan's mention of DTF. My understanding is (and I could be wrong, in fact I'd like to be wrong so if I am please could someone say so!) that using DTF introduces a dependency into your installation, and whilst it's fine for me to do that as a corporate admin as I can just deploy DTF to all of the target machines before any apps that I package with DTF CAs, I'm not sure that you will want to require all of your customers to do the same. Cheers, James -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eitan Behar Sent: 15 August 2008 11:42 To: 'General discussion for Windows Installer XML toolset.' Subject: Re: [WiX-users] controlling who installs a package Hi Chris, First at all, there is no way you can really protect an MSI based setup from being installed. MSI is in an open format, therefore, anybody can easily(?) open it and understand what constraints you set in order to limit the installation process. Saying that, if your users are not too technically oriented, you can create a Custom Action (unmanaged C++ is more difficult to decipher than DTF's C#, don't use VB script). This custom action will read a certain property, let's say SERIAL_NUMBER, and will return Success or Failure according to any algorithm you implement there. In general terms, the more complex the process is, the more difficult to break. You can set several functions call to confuse people try to understand the process. Also, don't cancel the setup right after the serial number check, but do something in the middle, so looking at the log file it'll be difficult to understand which CA is in charge. These are just guidelines for a very basic security process. If you need something pro, you better look at some ready-made solutions (Aladdin, Flex LM, etc) Take into account that most setups over there asking for serial numbers are either not MSI based, or very simple to crack. Hope this helps you to find your way. Bst rgrds, Eitan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mole, Chris Sent: Friday, August 15, 2008 11:01 AM To: wix-users@lists.sourceforge.net Subject: [WiX-users] controlling who installs a package Hi, What's the best way to control who is able to install a package? Can I make the package in such a way that it can only be installed by people that know some password or serial number? Thanks, Chris ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users -- This e-mail is confidential and the information contained in it may be privileged. It should not be read, copied or used by anyone other than the intended recipient. If you have received it in error, please contact the sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any person. We believe, but do not warrant, that this e-mail and any attachments are virus free, but you must take full responsibility for virus checking. Please refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer statement and monitoring policy. Dresdner Kleinwort is the trading name of the investment banking division of Dresdner Bank AG, and operates through Dresdner Bank AG, Dresdner Kleinwort Limited, Dresdner Kleinwort Securities Limited and their affiliated or associated companies. Dresdner Bank AG is a company incorporated in Germany with limited liability and registered in England (registered no. FC007638, place of business 30 Gresham Street, London EC2V 7PG), and is authorised by the German Federal Financial Supervisory Authority and by the Financial Services Authority ('FSA') and regulated by the FSA for the conduct of designated business in the UK. Dresdner Kleinwort Limited is a company incorporated in England (registered no. 551334, registered office 30 Gresham Street, London EC2V 7PG), and is authorised and regulated by the FSA. Dresdner Kleinwort Securities Limited is a company incorporated in England (registered no. 1767419, registered office 30 Gresham Street, London EC2V 7PG), and is authorised an d regulated by the FSA. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
