A poll might be a good idea - at least then we / you know what the
situation is. If it turns out there's no sensible default because everyone
*is* doing everything a different way, then it's sensible to not provide a
default. If it turns out that actually a lot of people do it a similar way
then maybe it's worth providing a default.
Or perhaps it's just worth improving the documentation because that
improves both cases without breaking anybody.
I'd be happy to submit a documentation update. (And yes, the codeproject
article I said I'd do on extensions is still sitting half-finished waiting
for me to find time for it). One thing I think might be helpful is if
there's a topic on signing (or perhaps two - one for bundles and one for
MSIs). At the moment the experience is that I google "sign wix bundle" and
get to the insignia page - which tells me not to use that.
One (or two) topic(s) that listed the 3 (I think?) options for signing
might be easier for people to get to grips with. I think the options are:
For signing a Bundle:
1) Build the bundle, then use the following commands as a post build
step:
insignia -ib bundle.exe -o engine.exe
signtool /a engine.exe /sha1 <hash> /t <timestamp url>
insignia -ab engine bundle.exe -o bundle.exe
signtool /a bundle.exe /sha1 <hash> /t <timestamp url>
2) Use the CustomAfterWixTargets property to specify a .targets file
which contains the SignBundle and SignBundleEngine targets
3) Add the SignBundle and SignBundleEngine targets into your .wixproj
(probably by adding an <Import> reference in your .wixproj to a .targets
file)
For signing an MSI:
1) Build the MSI with external cabs, sign the cabs, then use insignia to
inscribe the MSI with the signature the cabs use (only relevant for MSIs
which use external cabs, I think?)
2) Use the CustomAfterWixTargets property to specify a .targets file
which contains the SignCabs and SignMsi targets
3) Add the SignCabs and SignMsi targets into your .wixproj (probably by
adding an <Import> reference in your .wixproj to a .targets file)
Does that seem right?
Also, I did notice something in the help source:
<!-- TODO: mention the SignContainers target -->
I haven't used external containers yet so this one is new to me. However,
if I was to update the documentation I should probably include this as
well.
Thanks
On 3 December 2013 04:47, Blair Murri <os...@live.com> wrote:
> At one time at MSFT (don't know if it is still the case) the machine that
> did codesigning for (most? all?) teams worldwide was solely located in
> (IIRC) Puerto Rico, and the files had to be securely electronically
> transported there, signed, and securely transported back, by a system owned
> by the group managing production signing (despite most build servers being
> in Redmond, Washington). Direct access to the signtool tool wasn't of any
> use in that case.
>
> At my current client, there is no "official" signing in any build leg that
> developers have direct access to. You tell them where your files are and
> they sign them. They sign everything before the "packaging" step of the
> build, but they have to "script" signing things that are "contained" by
> other things built during packaging, like external cabs any everything we
> stick into a bundle.
>
> Seems like everyone does it differently. Maybe we should take a poll to
> see if there is any one "majority" way that we could optimize for, but even
> inside of MSFT it had to be done differently for "production" signing and
> "internal only-test" signing.
>
> -Blair
>
> > Date: Mon, 2 Dec 2013 22:08:16 +0000
> > From: john.ludlow...@gmail.com
> > To: wix-users@lists.sourceforge.net
> > Subject: Re: [WiX-users] Signing bundles - changes needed to each bundle
> wixproj
> >
> > Fair enough. I guess we have it set up quite simply - a cert in a folder
> on
> > the file server with restricted access. This is imported into the
> > certificate store on the build machine by the build and selected by sha1
> > hash when calling signtool. We also timestamp.
> >
> > Therefore simply providing a path to signtool, the sha1 and the
> > timestamping url via properties would work for us - that seems like a
> > sensible default which could be overridden
> >
> > Thanks
> > On 2 Dec 2013 18:24, "Rob Mensching" <r...@robmensching.com> wrote:
> >
> > > My experience is that you really want your private key under lock and
> key.
> > > I heard the room with the private key at MSFT had a hand print reader.
> Even
> > > the WiX toolset submits our binaries off to a signing service to get
> > > signed. Never saw two organizations implement signing the same way.
> <sigh/>
> > >
> > > -----Original Message-----
> > > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > > Sent: Monday, December 2, 2013 10:09 AM
> > > To: General discussion about the WiX toolset.
> > > Subject: Re: [WiX-users] Signing bundles - changes needed to each
> bundle
> > > wixproj
> > >
> > > I suppose that's a good point, Rob - there's lots of ways to sign
> stuff.
> > > We tend to go to the signtool method (actually a specific version of
> > > signtool for reasons I can't remember) and I kind of figured that
> would be
> > > the
> > > (ahem) generically preferred method of signing things that WiX cares
> about.
> > >
> > > Anyway, thanks for your help.
> > >
> > >
> > > On 2 December 2013 17:59, Rob Mensching <r...@robmensching.com> wrote:
> > >
> > > > Ditto.
> > > >
> > > > And if you come up with a way to set these targets by default
> > > > correctly for the multitude of ways for signing binaries, we'd love
> to
> > > > discuss it on wix-devs.
> > > >
> > > > -----Original Message-----
> > > > From: Blair Murri [mailto:os...@live.com]
> > > > Sent: Monday, December 2, 2013 9:53 AM
> > > > To: General discussion for Windows Installer XML toolset.
> > > > Subject: Re: [WiX-users] Signing bundles - changes needed to each
> > > > bundle wixproj
> > > >
> > > > I don't believe there's a preference to one over the other. Each has
> > > > its own costs and risks. Whichever works better in your environment.
> > > > MSBuild is flexible in that regard. (What I do with my clients tends
> > > > to vary based on the client's needs and customs).
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -Blair
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: John Ludlow
> > > > Sent: Monday, December 02, 2013 9:49 AM
> > > > To: General discussion for Windows Installer XML toolset.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > I see - that was the impression I got from the documentation, but I
> > > > tend to prefer to stay out of those because any changes to the
> > > > .wixprojs are relatively hidden, and we'd have to do the change for
> > > > each bundle .wixproj (and probably each MSI .wixproj). Given the
> > > > hidden nature, it's easy to forget (and more than a little
> cumbersome to
> > > implement each change).
> > > >
> > > > We could partially solve this using tools to mandate that this change
> > > > was done before checkin, but we'd have to write a check for that
> tool.
> > > > It's not difficult, but if we don't need to do it then we'd rather
> > > > not. Similarly, we could write tools to auto-fix this - again, not
> > > > difficult, but if we don't need to do it then we'd rather not.
> > > >
> > > > Ideally, however, the wix targets that come out of the box would have
> > > > this already.
> > > >
> > > > I was wondering whether there's a reason why editing the .wixproj is
> > > > preferred over CustomAfterWixTargets. If Visual Studio did a better
> > > > job of exposing the underlying msbuild code then I'd just tweak the
> > > > .msbuild file, but given how cumbersome it is, I'd rather avoid this
> if
> > > I can help it.
> > > >
> > > >
> > > >
> > > >
> > > > On 2 December 2013 16:52, Rob Mensching <r...@robmensching.com>
> wrote:
> > > >
> > > > > You could do that. I tend to add an explicit .props/.targets file
> to
> > > > > the .wixprojs myself but you have options with MSBuild.
> > > > >
> > > > > Documentation improvements are always appreciated.
> > > > >
> > > > > -----Original Message-----
> > > > > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > > > > Sent: Monday, December 2, 2013 8:07 AM
> > > > > To: General discussion about the WiX toolset.
> > > > > Subject: Re: [WiX-users] Signing bundles - changes needed to each
> > > > > bundle wixproj
> > > > >
> > > > > Hi Rob,
> > > > >
> > > > > How would this be invoked from the build? Your message prompted
> some
> > > > > digging, and I found CustomAfterWixTargets. Would you recommend
> > > > > setting this to the path to my own msbuild .targets file, and
> > > > > providing the SignXXX targets in there?
> > > > >
> > > > > I tried this and it seemed to work.
> > > > >
> > > > > If this is best practice, it would be worth updating the
> > > > > documentation to this effect.
> > > > >
> > > > >
> > > > > On 2 December 2013 14:52, Rob Mensching <r...@robmensching.com>
> wrote:
> > > > >
> > > > > > Generally, I've seen people use the instructions to check the WiX
> > > > > > toolset into their build process and provide a standard
> > > > > > .props/.targets file for encapsulating all the custom logic for
> > > > > > their
> > > > > build.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: John Ludlow [mailto:john.ludlow...@gmail.com]
> > > > > > Sent: Monday, December 2, 2013 4:23 AM
> > > > > > To: General discussion for Windows Installer XML toolset.
> > > > > > Subject: [WiX-users] Signing bundles - changes needed to each
> > > > > > bundle wixproj
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > We're writing an installer using a bundle to chain two MSIs
> together.
> > > > > > The bundle should be signed (we generally sign installers and
> EXEs
> > > > > > and
> > > > > DLLs).
> > > > > > Currently, we're using WiX 3.6 (we currently use Visual Studio
> > > > > > 2008, and
> > > > > > 3.7 didn't support that version of Visual Studio).
> > > > > >
> > > > > > We've discovered the 0x80004005 error described here:
> > > > > >
> > > > > >
> http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Wix-
> > > > > > 3-
> > > > > > 7-
> > > > > >
> Burn-error-0x80004005-Failed-to-extract-all-files-from-container-t
> > > > > > d7
> > > > > > 58
> > > > > > 7152.html
> > > > > >
> > > > > > However, the fix for this seems to be to tweak the project files.
> > > > > > This is not a preferred solution for us, as over the next year we
> > > > > > will be creating a significant number of these as we adopt this
> > > > > > technology for some of our existing installers. Since any tweaks
> > > > > > to the projects are hidden (they require right clicking the
> > > > > > project, choosing Edit... and effectively unloading the project
> > > > > > from the solution). We'd have to remember to do that each time we
> > > > > > create a bundle, and I'd rather not
> > > > > have that point of failure.
> > > > > >
> > > > > > I'm planning on using insignia.exe to extract engine.exe, sign it
> > > > > > and then import it. However, it's been suggested this is also
> less
> > > > > > than ideal (though it's better than having to remember to tweak a
> > > > > > project
> > > > > file).
> > > > > >
> > > > > > I was wondering whether this is improved in later versions of
> WiX.
> > > > > > I imagine it would be pretty simple for WiX to include this
> > > > > > functionality in the default .wixproj project template, meaning
> we
> > > > > > don't have to remember to do it ourselves. If this is the case,
> > > > > > would
> > > > > this also support timestamping?
> > > > > >
> > > > > > Or are there any other inventive solutions for solving this
> issue?
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > John
> > > > > >
> > > > > >
> ------------------------------------------------------------------
> > > > > > --
> > > > > > --
> > > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > > business. Most IT organizations don't have a clear picture of how
> > > > > > application performance affects their revenue. With AppDynamics,
> > > > > > you get 100% visibility into your Java,.NET, & PHP application.
> > > > > > Start your 15-day FREE TRIAL of AppDynamics Pro!
> > > > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/os
> > > > > > tg .c lktrk _______________________________________________
> > > > > > WiX-users mailing list
> > > > > > WiX-users@lists.sourceforge.net
> > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> ------------------------------------------------------------------
> > > > > > --
> > > > > > --
> > > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > > business. Most IT organizations don't have a clear picture of how
> > > > > > application performance affects their revenue. With AppDynamics,
> > > > > > you get 100% visibility into your Java,.NET, & PHP application.
> > > > > > Start your 15-day FREE TRIAL of AppDynamics Pro!
> > > > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/os
> > > > > > tg .c lktrk _______________________________________________
> > > > > > WiX-users mailing list
> > > > > > WiX-users@lists.sourceforge.net
> > > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > > >
> > > > >
> > > > >
> --------------------------------------------------------------------
> > > > > --
> > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > business. Most IT organizations don't have a clear picture of how
> > > > > application performance affects their revenue. With AppDynamics,
> you
> > > > > get 100% visibility into your Java,.NET, & PHP application. Start
> > > > > your 15-day FREE TRIAL of AppDynamics Pro!
> > > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg
> > > > > .c lktrk _______________________________________________
> > > > > WiX-users mailing list
> > > > > WiX-users@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > >
> > > > >
> > > > >
> > > > >
> --------------------------------------------------------------------
> > > > > --
> > > > > -------- Rapidly troubleshoot problems before they affect your
> > > > > business. Most IT organizations don't have a clear picture of how
> > > > > application performance affects their revenue. With AppDynamics,
> you
> > > > > get 100% visibility into your Java,.NET, & PHP application. Start
> > > > > your 15-day FREE TRIAL of AppDynamics Pro!
> > > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg
> > > > > .c lktrk _______________________________________________
> > > > > WiX-users mailing list
> > > > > WiX-users@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > > >
> > > >
> > > >
> ----------------------------------------------------------------------
> > > > -------- Rapidly troubleshoot problems before they affect your
> > > > business. Most IT organizations don't have a clear picture of how
> > > > application performance affects their revenue. With AppDynamics, you
> > > > get 100% visibility into your Java,.NET, & PHP application. Start
> your
> > > > 15-day FREE TRIAL of AppDynamics Pro!
> > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > > lktrk _______________________________________________
> > > > WiX-users mailing list
> > > > WiX-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > >
> > > >
> ----------------------------------------------------------------------
> > > > -------- Rapidly troubleshoot problems before they affect your
> > > > business. Most IT organizations don't have a clear picture of how
> > > > application performance affects their revenue. With AppDynamics, you
> > > > get 100% visibility into your Java,.NET, & PHP application. Start
> your
> > > > 15-day FREE TRIAL of AppDynamics Pro!
> > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > > lktrk _______________________________________________
> > > > WiX-users mailing list
> > > > WiX-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > >
> > > >
> ----------------------------------------------------------------------
> > > > -------- Rapidly troubleshoot problems before they affect your
> > > > business. Most IT organizations don't have a clear picture of how
> > > > application performance affects their revenue. With AppDynamics, you
> > > > get 100% visibility into your Java,.NET, & PHP application. Start
> your
> > > > 15-day FREE TRIAL of AppDynamics Pro!
> > > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.c
> > > > lktrk _______________________________________________
> > > > WiX-users mailing list
> > > > WiX-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Rapidly troubleshoot problems before they affect your business. Most IT
> > > organizations don't have a clear picture of how application performance
> > > affects their revenue. With AppDynamics, you get 100% visibility into
> your
> > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics
> > > Pro!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > WiX-users mailing list
> > > WiX-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Rapidly troubleshoot problems before they affect your business. Most IT
> > > organizations don't have a clear picture of how application performance
> > > affects their revenue. With AppDynamics, you get 100% visibility into
> your
> > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics
> > > Pro!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > WiX-users mailing list
> > > WiX-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/wix-users
> > >
> >
> ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most IT
> > organizations don't have a clear picture of how application performance
> > affects their revenue. With AppDynamics, you get 100% visibility into
> your
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
> AppDynamics Pro!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > _______________________________________________
> > WiX-users mailing list
> > WiX-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wix-users
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
