The patch certificates go in the wix for your original msi. Then you use signtool to sign that msi and any patch msp that you create.
If you have already released your MSI then you will either need to re-release it as a major upgrade to include the embedded certificate or release a patch with them in but that patch will need to be run elevated and subsequent patches will be able to bypass UAC. -----Original Message----- From: chintala srinivas [mailto:chentala.srini...@gmail.com] Sent: 27 June 2013 17:18 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Require admin rights to msp Thanks Jacob and Blair By changing the custom-action attribute to Impersonate="no" from "yes" is resolved my issue. But Signing the MSP is very important thing for patch installation. I am not able to sign the msp as Jacob suggested, because I unable to add the PatchCertificates to my patch.wxs. I followed the below steps for signing MSI and MSP: 1. Signed the MSI by giving the below post build event. <PostBuildEvent>"C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin\signtool.exe" sign /f $(SolutionDir)\xxx.pfx /p xxxxxx /t http:// http://timestamp.digicert.com /v $(ProjectDir)\bin\$(ConfigurationName)\en-US\xxx.msi</PostBuildEvent> 2. Signing the MSP by giving the same postbuild event as above, Then the MSP is digitally signature by seeing it from properties. But MsiPatchCertificate table is not coming. I missed something, So MsiPatchCertificate table is not coming. Regards, Srinivas. On Wed, Jun 26, 2013 at 2:01 PM, David Watson <dwat...@sdl.com> wrote: > What Jacob suggests works, we have been using it for several years, if > the certificate is in the original msi and it and the patch are signed > by the same certificate then you do not need to elevate to install. > > It's fun when the certificate expires though as you need to use a > hotfix to deliver the new certificate which is signed by the old > certificate before it expires so you can then sign by the new > certificate in future patches. > > -----Original Message----- > From: Blair Murri [mailto:os...@live.com] > Sent: 26 June 2013 06:53 > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] Require admin rights to msp > > I believe so. Please test and report back (I'd like confirmation > either way). > > > Date: Wed, 26 Jun 2013 02:11:19 +0530 > > From: chentala.srini...@gmail.com > > To: wix-users@lists.sourceforge.net > > Subject: Re: [WiX-users] Require admin rights to msp > > > > Hi, > > > > The actual requirement is > > I have a msi which is having elevated rights(InstallPrivileges > > ="elevated", Privileged Launched condition and digitally signed). > > > > And simply created the patch by following the Link: > > http://wix.sourceforge.net/manual-wix2/patch_building.htm with out > > adding signing or any additional things, This is working sucessfully > > in all machine except the machines having UAC on. If we run the msp > > through AdminCommandPrompt it works fine(executing Impersonate="yes" > > customactions) on UAC-ON machine also. > > > > Signing the msp is the solution for this problem? > > > > Regards, > > Srinivas. > > > > On Tue, Jun 25, 2013 at 11:24 PM, Blair Murri <os...@live.com> wrote: > > > > > Method #2 - apply from an elevated command prompt. > > > > > > I'm a little unclear about the requirement. If the MSI requires > > > elevation, any applied MSP will prompt for elevation as needed and > > > all non-impersonated in-script actions will run elevated (same as > > > the MSI, adding an MSP doesn't change how that works). > > > > > > If the original MSI doesn't require elevation and the MSP > > > introduces that requirement (due to some new thing its doing) then > > > LUA patching won't accommodate that requirement. You really should > > > use a major upgrade (and possibly a bootstrapper that gives you a > > > working upgrade path) to replace that original MSI. > > > > > > Blair > > > > > > > From: jacob.hoo...@greenheck.com > > > > To: wix-users@lists.sourceforge.net > > > > Date: Tue, 25 Jun 2013 17:10:15 +0000 > > > > Subject: Re: [WiX-users] Require admin rights to msp > > > > > > > > Digitally sign the original MSI, include the public cert in the > > > MsiPatchCertificate table, and then sign the MSP with the same > certificate. > > > > > > > > <PatchCertificates> > > > > <DigitalCertificate Id="MyCompany" SourceFile="MyCompany.cer"/> > > > > </PatchCertificates> > > > > > > > > And in the wixproj, > > > > > > > > <Target Name="SignCabs" DependsOnTargets="UsesSignTool"> > > > > <Exec Command=""$(SignToolPath)" sign /t > > > http://timestamp.digicert.com /a "%(SignCabs.FullPath)"" > > > /> > > > > </Target> > > > > > > > > <Target Name="SignMsi" DependsOnTargets="UsesSignTool"> > > > > <Exec Command=""$(SignToolPath)" sign /d "My > > > > App > > > Setup" /t http://timestamp.digicert.com /a > > > "%(SignMsi.FullPath)"" /> > > > > </Target> > > > > > > > > I use custom logic to detect the location of SignTool, but that > > > > should > > > get you started. Note, group policy can still disable LUA patching. > > > > > > > > -----Original Message----- > > > > From: chintala srinivas [mailto:chentala.srini...@gmail.com] > > > > Sent: Tuesday, June 25, 2013 11:53 AM > > > > To: General discussion for Windows Installer XML toolset. > > > > Subject: [WiX-users] Require admin rights to msp > > > > > > > > Hi, > > > > > > > > I have a patch(.msp) file which will works fine only if it runs > > > > from > > > administrative command prompt on UAC on machine. > > > > Can anyone please let me know how to give admin privileges to .msp. > > > > > > > > Regards, > > > > Srinivas. > > > > > > > ------------------------------------------------------------------ > > > -- > > > ---------- > > > > This SF.net email is sponsored by Windows: > > > > > > > > Build for Windows Store. > > > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > ------------------------------------------------------------------ > > > -- > > > ---------- > > > > This SF.net email is sponsored by Windows: > > > > > > > > Build for Windows Store. > > > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > > > > WiX-users mailing list > > > > WiX-users@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > ------------------------------------------------------------------ > > > -- > > > ---------- This SF.net email is sponsored by Windows: > > > > > > Build for Windows Store. > > > > > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > -------------------------------------------------------------------- > > -- > > -------- This SF.net email is sponsored by Windows: > > > > Build for Windows Store. > > > > http://p.sf.net/sfu/windows-dev2dev > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > ---------------------------------------------------------------------- > ------- > - > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > SDL PLC confidential, all rights reserved. > If you are not the intended recipient of this mail SDL requests and > requires that you delete it without acting upon or copying any of its > contents, and we further request that you advise us. > SDL PLC is a public limited company registered in England and Wales. > Registered number: 02675207. > Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire > SL6 7DY, UK. > > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > ----------------------------------------------------------------------------- - This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
