I used a CA on windows server 03 to create a code signing certificate (through the web enrollment tool), installed the cert to my dev machine's store, then exported from the store twice. Once to generate the PFX I used for signing, and then once for the .cer file I included in the msi.
________________________________________ From: Rafael Rivera [raf...@withinwindows.com] Sent: Thursday, July 02, 2009 4:03 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Patching a product without elevation MSI (c) (24:FC) [15:23:03:419]: Certificate of signed file 'C:\Users\STANDA~1\AppData\Local\Temp\13f7987.msp' differs in size with the certificate authored in the package How did you generate your .cer? - Rafael Chris Bardon wrote: > I did run signtool against the packages, with the command lines in the first > part of the post. > > I also forgot to point out a couple of other changes to the demo code. I > changed the installer version to 300, and I set ALLUSERS to 1 to make sure > that I installed per-machine to start with. > > Something strange that I noticed in the patch log: > > [snipped] > > > -----Original Message----- > From: Rafael Rivera [mailto:raf...@withinwindows.com] > Sent: Thursday, July 02, 2009 3:17 PM > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] Patching a product without elevation > > Chris, > > Those elements appear to simply identify what certificate should be > given the green light for patching. I believe you still need to > digitally sign the resulting MSI using signtool.exe. > > - Rafael > > Chris Bardon wrote: > >> My goal for getting patching to work is to be able to deploy an application >> that can be patched by a non-admin user, but I'm running into a problem. >> I've created the patching sample in the documentation, and the patch works >> when it's elevated, but whether or not it's signed, the patch is still >> prompting for elevation. I'm signing both the patch and the original MSI >> with this command lines: >> >> signtool.exe sign /f signcert.pfx /p 288 /d "Patch Test application!" >> product.msi >> signtool.exe sign /f signcert.pfx /p 288 /d "Patch Test application!" >> patch.msp >> >> I've also modified the product msi from the example so that it includes this >> markup: >> >> <PatchCertificates> >> <DigitalCertificate SourceFile="signcert.cer" Id="signcert"/> >> </PatchCertificates> >> >> If I look at the properties of the files, both of them have a digital >> signature from the same certificate, and both are identified as valid. When >> I run the patch as a non-administrator though, I get an elevation prompt >> asking to install from an unknown publisher-the original installer correctly >> identified my certificate. Is there something else I'm missing? I saw the >> article in MSDN here >> (http://msdn.microsoft.com/en-us/library/aa372388%28VS.85%29.aspx), which >> pointed me to the MsiPatchCcertificate table and the PatchCertificates >> element. I've tried adding the cert both as the pfx file and as a base-64 >> encoded cer with the same effect. Is there something else that I'm missing >> here? Why is the patch still reporting itself as an unknown publisher? >> >> Thanks for the help everyone, >> >> Chris >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> WiX-users mailing list >> WiX-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/wix-users >> >> > > > ------------------------------------------------------------------------------ > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > ------------------------------------------------------------------------------ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
