Hi Jacob,
signing is indeed working without any problem. But if you have a
<PatchCertificates> element in your MSI, signing the MSI with insignia
(actually it is done by an MSbuild target) will change the included
certificates in the MsiDigitalCertificate table.
The following snipped (e.g. in product.wxs) will create entries in the MSI
tables MsiDigitalCertificate and MsiPatchCertificate:
<PatchCertificates>
<DigitalCertificate Id="MyCertificate" SourceFile="xyz.cer" />
</PatchCertificates>
The certificate will get the identifier "MyCertificate" which is referenced
in MsiPatchCertificate.
If you are now using external cabs and sign the MSI, the "MyCertificate" is
removed from the MsiDigitalCertificate table and a new one is added for any
external cab. They will get the certificates thumbprint as the identifier
but MsiPatchCertificate is still referencing "MyCertificate" which will
break the MSI IMHO.
It is currently not an issue for me, as I have no plans to use patches in
the near future. But I was asking myself if this is an bug or if I did
something wrong.
Thanks for your help,
Georg
-----Ursprüngliche Nachricht-----
Von: Hoover, Jacob [mailto:jacob.hoo...@greenheck.com]
Gesendet: Montag, 8. Juli 2013 16:38
An: General discussion for Windows Installer XML toolset.
Cc: wix-users@lists.sourceforge.net
Betreff: Re: [WiX-users] PatchCertificates element and Insignia.exe
I've been signing a msi and its external cabs without issue.
Can you provide the steps you are using to see if I can spot anything?
On Jul 8, 2013, at 9:30 AM, "Georg von Kries" <g...@creativbox.net> wrote:
> Hi all,
>
>
>
> I've been using a <PatchCertificates> element in our installers for
> several years now, just in case we want to provide a patch and allow UAC
patching.
> After switching to use external cab files, I have mentioned that this
> is broken.
>
>
>
> When using external cabs, singing them and inscribing the digital
> certificate via Insignia.exe, it will remove the certificates provided
> in the PatchCertificates element from the MsiDigitalCertificate table
> and add a new entry with the certificate used for singing the cab
> files. This is actually the same certificate (in our case), but the
> identifier in the MsiDigitalCertificate table is being replaced.
> Insignia (or actually the
> Inscriber) will use the certificates thumbprint as the identifier.
> This invalidates the foreign key in the MsiPatchCertificate table.
>
> Additionally I cannot just use the certificate thumbprint as the
> identifier in the <DigitalCertificate> element, because it might
> start with a number which makes it invalid as an identifier.
>
>
>
> Therefore I think there are two bugs in the Inscriber.
> InscribeDatabase()
> method:
>
> 1. It should not remove existing certificates from the
> MsiDigitalCertificate table
>
> 2. The used identifier can be invalid, if the certificate thumbprint
> starts with a number. E.g. an underscore should be added at the
> beginning
>
>
>
> Am I missing something or is this a known limitation/bug?
>
>
>
> Kind regards,
>
> Georg von Kries
>
>
>
>
>
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
----------------------------------------------------------------------------
--
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
