At one time at MSFT (don't know if it is still the case) the machine that did
codesigning for (most? all?) teams worldwide was solely located in (IIRC)
Puerto Rico, and the files had to be securely electronically transported there,
signed, and securely transported back, by a system owned by the group managing
production signing (despite most build servers being in Redmond, Washington).
Direct access to the signtool tool wasn't of any use in that case.
At my current client, there is no "official" signing in any build leg that
developers have direct access to. You tell them where your files are and they
sign them. They sign everything before the "packaging" step of the build, but
they have to "script" signing things that are "contained" by other things built
during packaging, like external cabs any everything we stick into a bundle.
Seems like everyone does it differently. Maybe we should take a poll to see if
there is any one "majority" way that we could optimize for, but even inside of
MSFT it had to be done differently for "production" signing and "internal
only-test" signing.
-Blair
> Date: Mon, 2 Dec 2013 22:08:16 +0000
> From: john.ludlow...@gmail.com
> To: wix-users@lists.sourceforge.net
> Subject: Re: [WiX-users] Signing bundles - changes needed to each bundle
> wixproj
>
> Fair enough. I guess we have it set up quite simply - a cert in a folder on
> the file server with restricted access. This is imported into the
> certificate store on the build machine by the build and selected by sha1
> hash when calling signtool. We also timestamp.
>
> Therefore simply providing a path to signtool, the sha1 and the
> timestamping url via properties would work for us - that seems like a
> sensible default which could be overridden
>
> Thanks
> On 2 Dec 2013 18:24, "Rob Mensching" <r...@robmensching.com> wrote:
>
> > My experience is that you really want your private key under lock and key.
> > I heard the room with the private key at MSFT had a hand print reader. Even
> > the WiX toolset submits our binaries off to a signing service to get
> > signed. Never saw two organizations implement signing the same way. <sigh/>
> >
> > -----Original Message-----
> > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > Sent: Monday, December 2, 2013 10:09 AM
> > To: General discussion about the WiX toolset.
> > Subject: Re: [WiX-users] Signing bundles - changes needed to each bundle
> > wixproj
> >
> > I suppose that's a good point, Rob - there's lots of ways to sign stuff.
> > We tend to go to the signtool method (actually a specific version of
> > signtool for reasons I can't remember) and I kind of figured that would be
> > the
> > (ahem) generically preferred method of signing things that WiX cares about.
> >
> > Anyway, thanks for your help.
> >
> >
> > On 2 December 2013 17:59, Rob Mensching <r...@robmensching.com> wrote:
> >
> > > Ditto.
> > >
> > > And if you come up with a way to set these targets by default
> > > correctly for the multitude of ways for signing binaries, we'd love to
> > > discuss it on wix-devs.
> > >
> > > -----Original Message-----
> > > From: Blair Murri [mailto:os...@live.com]
> > > Sent: Monday, December 2, 2013 9:53 AM
> > > To: General discussion for Windows Installer XML toolset.
> > > Subject: Re: [WiX-users] Signing bundles - changes needed to each
> > > bundle wixproj
> > >
> > > I don't believe there's a preference to one over the other. Each has
> > > its own costs and risks. Whichever works better in your environment.
> > > MSBuild is flexible in that regard. (What I do with my clients tends
> > > to vary based on the client's needs and customs).
> > >
> > >
> > >
> > >
> > >
> > >
> > > -Blair
> > >
> > >
> > >
> > >
> > >
> > > From: John Ludlow
> > > Sent: Monday, December 02, 2013 9:49 AM
> > > To: General discussion for Windows Installer XML toolset.
> > >
> > >
> > >
> > >
> > >
> > > I see - that was the impression I got from the documentation, but I
> > > tend to prefer to stay out of those because any changes to the
> > > .wixprojs are relatively hidden, and we'd have to do the change for
> > > each bundle .wixproj (and probably each MSI .wixproj). Given the
> > > hidden nature, it's easy to forget (and more than a little cumbersome to
> > implement each change).
> > >
> > > We could partially solve this using tools to mandate that this change
> > > was done before checkin, but we'd have to write a check for that tool.
> > > It's not difficult, but if we don't need to do it then we'd rather
> > > not. Similarly, we could write tools to auto-fix this - again, not
> > > difficult, but if we don't need to do it then we'd rather not.
> > >
> > > Ideally, however, the wix targets that come out of the box would have
> > > this already.
> > >
> > > I was wondering whether there's a reason why editing the .wixproj is
> > > preferred over CustomAfterWixTargets. If Visual Studio did a better
> > > job of exposing the underlying msbuild code then I'd just tweak the
> > > .msbuild file, but given how cumbersome it is, I'd rather avoid this if
> > I can help it.
> > >
> > >
> > >
> > >
> > > On 2 December 2013 16:52, Rob Mensching <r...@robmensching.com> wrote:
> > >
> > > > You could do that. I tend to add an explicit .props/.targets file to
> > > > the .wixprojs myself but you have options with MSBuild.
> > > >
> > > > Documentation improvements are always appreciated.
> > > >
> > > > -----Original Message-----
> > > > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > > > Sent: Monday, December 2, 2013 8:07 AM
> > > > To: General discussion about the WiX toolset.
> > > > Subject: Re: [WiX-users] Signing bundles - changes needed to each
> > > > bundle wixproj
> > > >
> > > > Hi Rob,
> > > >
> > > > How would this be invoked from the build? Your message prompted some
> > > > digging, and I found CustomAfterWixTargets. Would you recommend
> > > > setting this to the path to my own msbuild .targets file, and
> > > > providing the SignXXX targets in there?
> > > >
> > > > I tried this and it seemed to work.
> > > >
> > > > If this is best practice, it would be worth updating the
> > > > documentation to this effect.
> > > >
> > > >
> > > > On 2 December 2013 14:52, Rob Mensching <r...@robmensching.com> wrote:
> > > >
> > > > > Generally, I've seen people use the instructions to check the WiX
> > > > > toolset into their build process and provide a standard
> > > > > .props/.targets file for encapsulating all the custom logic for
> > > > > their
> > > > build.
> > > > >
> > > > > -----Original Message-----
> > > > > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > > > > Sent: Monday, December 2, 2013 4:23 AM
> > > > > To: General discussion for Windows Installer XML toolset.
> > > > > Subject: [WiX-users] Signing bundles - changes needed to each
> > > > > bundle wixproj
> > > > >
> > > > > Hi,
> > > > >
> > > > > We're writing an installer using a bundle to chain two MSIs together.
> > > > > The bundle should be signed (we generally sign installers and EXEs
> > > > > and
> > > > DLLs).
> > > > > Currently, we're using WiX 3.6 (we currently use Visual Studio
> > > > > 2008, and
> > > > > 3.7 didn't support that version of Visual Studio).
> > > > >
> > > > > We've discovered the 0x80004005 error described here:
> > > > >
> > > > > http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Wix-
> > > > > 3-
> > > > > 7-
> > > > > Burn-error-0x80004005-Failed-to-extract-all-files-from-container-t
> > > > > d7
> > > > > 58
> > > > > 7152.html
> > > > >
> > > > > However, the fix for this seems to be to tweak the project files.
> > > > > This is not a preferred solution for us, as over the next year we
> > > > > will be creating a significant number of these as we adopt this
> > > > > technology for some of our existing installers. Since any tweaks
> > > > > to the projects are hidden (they require right clicking the
> > > > > project, choosing Edit... and effectively unloading the project
> > > > > from the solution). We'd have to remember to do that each time we
> > > > > create a bundle, and I'd rather not
> > > > have that point of failure.
> > > > >
> > > > > I'm planning on using insignia.exe to extract engine.exe, sign it
> > > > > and then import it. However, it's been suggested this is also less
> > > > > than ideal (though it's better than having to remember to tweak a
> > > > > project
> > > > file).
> > > > >
> > > > > I was wondering whether this is improved in later versions of WiX.
> > > > > I imagine it would be pretty simple for WiX to include this
> > > > > functionality in the default .wixproj project template, meaning we
> > > > > don't have to remember to do it ourselves. If this is the case,
> > > > > would
> > > > this also support timestamping?
> > > > >
> > > > > Or are there any other inventive solutions for solving this issue?
> > > > >
> > > > > Thanks
> > > > >
> > > > > John
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > --
> > > > > --
> > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > business. Most IT organizations don't have a clear picture of how
> > > > > application performance affects their revenue. With AppDynamics,
> > > > > you get 100% visibility into your Java,.NET, & PHP application.
> > > > > Start your 15-day FREE TRIAL of AppDynamics Pro!
> > > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/os
> > > > > tg .c lktrk _______________________________________________
> > > > > WiX-users mailing list
> > > > > WiX-users@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > --
> > > > > --
> > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > business. Most IT organizations don't have a clear picture of how
> > > > > application performance affects their revenue. With AppDynamics,
> > > > > you get 100% visibility into your Java,.NET, & PHP application.
> > > > > Start your 15-day FREE TRIAL of AppDynamics Pro!
> > > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/os
> > > > > tg .c lktrk _______________________________________________
> > > > > WiX-users mailing list
> > > > > WiX-users@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > >
> > > >
> > > > --------------------------------------------------------------------
> > > > --
> > > > -------- Rapidly troubleshoot problems before they affect your
> > > > business. Most IT organizations don't have a clear picture of how
> > > > application performance affects their revenue. With AppDynamics, you
> > > > get 100% visibility into your Java,.NET, & PHP application. Start
> > > > your 15-day FREE TRIAL of AppDynamics Pro!
> > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg
> > > > .c lktrk _______________________________________________
> > > > WiX-users mailing list
> > > > WiX-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------------
> > > > --
> > > > -------- Rapidly troubleshoot problems before they affect your
> > > > business. Most IT organizations don't have a clear picture of how
> > > > application performance affects their revenue. With AppDynamics, you
> > > > get 100% visibility into your Java,.NET, & PHP application. Start
> > > > your 15-day FREE TRIAL of AppDynamics Pro!
> > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg
> > > > .c lktrk _______________________________________________
> > > > WiX-users mailing list
> > > > WiX-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > >
> > >
> > > ----------------------------------------------------------------------
> > > -------- Rapidly troubleshoot problems before they affect your
> > > business. Most IT organizations don't have a clear picture of how
> > > application performance affects their revenue. With AppDynamics, you
> > > get 100% visibility into your Java,.NET, & PHP application. Start your
> > > 15-day FREE TRIAL of AppDynamics Pro!
> > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > lktrk _______________________________________________
> > > WiX-users mailing list
> > > WiX-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > >
> > > ----------------------------------------------------------------------
> > > -------- Rapidly troubleshoot problems before they affect your
> > > business. Most IT organizations don't have a clear picture of how
> > > application performance affects their revenue. With AppDynamics, you
> > > get 100% visibility into your Java,.NET, & PHP application. Start your
> > > 15-day FREE TRIAL of AppDynamics Pro!
> > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > lktrk _______________________________________________
> > > WiX-users mailing list
> > > WiX-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > >
> > > ----------------------------------------------------------------------
> > > -------- Rapidly troubleshoot problems before they affect your
> > > business. Most IT organizations don't have a clear picture of how
> > > application performance affects their revenue. With AppDynamics, you
> > > get 100% visibility into your Java,.NET, & PHP application. Start your
> > > 15-day FREE TRIAL of AppDynamics Pro!
> > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > lktrk _______________________________________________
> > > WiX-users mailing list
> > > WiX-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > >
> >
> > ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most IT
> > organizations don't have a clear picture of how application performance
> > affects their revenue. With AppDynamics, you get 100% visibility into your
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> > Pro!
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > _______________________________________________
> > WiX-users mailing list
> > WiX-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wix-users
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most IT
> > organizations don't have a clear picture of how application performance
> > affects their revenue. With AppDynamics, you get 100% visibility into your
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> > Pro!
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > _______________________________________________
> > WiX-users mailing list
> > WiX-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wix-users
> >
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
