I've been trying to sign an MSI file in a post build event with the following code
signtool sign /t http://timestamp.verisign.com/scripts/timestamp.dll /f "E:\Products\Tools\DigitalId\Certificate.pfx" /p 1501ocbc /d "Server" "E:\Products\Setup\Server_Setup\ServerSetup\bin\Release\en-US\ServerSetup.msi"
This will sign OK with the Visual Studio command prompt and similar code works for C++ projects. However, when building the setup and signing the code with post build events, I get a code error, 9009. After much debugging I have come to the conclusion that WiX is using the ordinary command prompt. How do I get cmd.exe in WiX to open with Visual Studio tools?
Or is there another way to sign my packages?
You could define the event like this:
"%programw6432%\microsoft sdks\windows\v7.1\bin\signtool.exe" sign /t etc..
Note: you need to adapt the path to your install (program files, Windows SDK version, etc.), or you could also define your own environment variable.
It looks like there is a built-in way of signing MSI files which seems to work correctly with SignTool: Insignia.
Register the certificate and use the /sha1 hashkey - just to be sure the certificate is good (check browser-internetoptions/content/certificate)
SignTool path - make it explicit as Simon Mourier suggested or put signtool.exe in an accesible path
Choosing postbuild operation - you should sign the MSI file after you've completed all operations upon the MSI file. Any action upon the MSI (INSERT/UPDATE Property) will undo the signing.
Related
I am try to digitally sign .dll, .exe and .msi files using signUserFiles.exe, I have configured signing steps into Cruise control tool and when I try to build our project (abc.proj file) using cruise control tool then I am getting below error
EXEC (0,0): error: Unable to find the temporary location for signtool. Exiting...
c:\work\UCA7.3_8.1GA\Client\Sign.targets (31,6):
errorMSB3073: The command "C:\Programs\Signing\Windows\signUserFiles.exe -as -fd sha256 -file c:\work\UCA7.3_8.1GA\Client\UCA\bin\Release\53xxPCApp.exe" exited with code 1.
I have written commands as below
while same is working fine if I build abc.proj directly from command prompt window using "msbuild abc.proj" command
Please help me
Regards
Ganesh
SignTool docs can be found at https://learn.microsoft.com/en-us/windows/desktop/seccrypto/signtool
On my dev VM, I see signtool.exe in the following locations:
C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe
C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe
I am not familiar with "SignUserFiles.exe" but I always use the Win32 SDK exe and perhaps havent stumbled across that file name. I always run signtool as a CC.Net "executable task". A little more work perhaps, but I prefer granular control of these things.
See https://ccnet.github.io/CruiseControl.NET/projects/ccnet/wiki/Executable_Task.html for details re: the executable task.
Publishing the ClickOnce application via msbuild using command
msbuild /t:publish /p:BootstrapperEnabled=true;PublishDir=C:\publish\;PublishUrl=C:\publish
Throws the error:
error MSB3484: Signing target 'bin\Debug\app.publish\setup.exe' could not be found.
No setup.exe is generated, whereas publishing via Visual Studio IDE generates the setup.exe to the specified folder.
Have looked over the net and found the below solutions
To enable BootstrapperEnable = true,
To specify \ at the end of PublishDir/PublishUrl
And the above solutions don't work for me. Any suggestions would be highly appreciated.
Below command worked:
msbuild /t:publish /p:PublishDir=C:\publish\ /p:ApplicationVersion=1.0.1.1
Din't have to specify the InstallationFolder, since ClickOnce takes up the folder path from where the user installed the setup.exe as the InstallFolder and looks there for updates.
I have a WiX installer that was working fine, but it's been a few months since I worked on it... so, I am not attempting to build the installer (on a reconfigured machine) and now it fails to build every time. I've tried to simplify everything to isolate where it's failing, but I still can't seem to figure out why. Essentially, it looks like it's failing at the pre-build process. I had a length Pre-build Event command, but I've simplified it to the bare essentials. Here's my command:
call “$(WIX)bin\heat.exe” dir "$(SolutionDir)MyProj\bin\Release" -out “$(ProjectDir)MyFiles.wxs”
The error I'm getting is:
call “C:\Program Files (x86)\WiX Toolset v3.10\bin\heat.exe” dir "C:\Users\MyName\Documents\GitHub\MyProj\bin\Release" -out “C:\Users\MyName\Documents\GitHub\MyProj\Installer\MyFiles.wxs”
The filename, directory name, or volume label syntax is incorrect.
The code appears to exit with code 1, which seems to suggest that it's failing to locate a filename or path... however, I've checked the paths that are printed in the output log and the heat.exe application does exists under the C:\Program Files (x86) directory. The directory (dir) it's trying to harvest is properly defined and the output location is as well. So, does anyone know why this is failing?
Update
What's incredibly strange is that the pre-build event command seems to fail even when I simplify the command to try to simply call the heat.exe application (with no other parameters). I tried changing my pre-build event to the following:
call “C:\Program Files (x86)\WiX Toolset v3.10\bin\heat.exe”
As you can see from the attached image, the heat.exe application is indeed located in the directory specified in the build command. Yet, I still get an error saying that the MSBuild failed and exited with code 1. If I check the output log, it says that the, "filename, directory name, or volume label syntax is incorrect". However, I can say that this installer was working properly a few months ago with no changes to the build events... so I really don't know why it wouldn't work now, except that I had to reconfigure my machine and reinstall Windows 10 recently. I downloaded and installed the latest WiX toolset, and would assume that would be everything that is needed. But, this error persists. Any ideas?
This is really dumb but I believe you need to put a \ at the end of your dir IIRC. I think I ran into the same issue at one point. The error is not particularly helpful.
call "$(WIX)bin\heat.exe" dir "$(SolutionDir)MyProj\bin\Release\" -out "$(ProjectDir)MyFiles.wxs"
(I think I was remembering backwards and you need to NOT have the trailing \ in the dir.. sorry)
Just in case you can't get the pre-build event to work, you can also call heat like this (requires editing the wixproj file)
<Target Name="BeforeBuild">
<Exec Command=""$(WIX)bin\heat.exe" dir "$(SolutionDir)MyProj\bin\Release" -out "$(ProjectDir)MyFiles.wxs""/>
</Target>
This is how I call heat in some of the installers I've authored. If this also doesn't work I'm out of ideas for why this doesn't work for you.
I know its a little old question but I've faced the issue and spent hours to notice different qoutes here: “$(WIX)bin\heat.exe”. Replace with straight ones "$(WIX)bin\heat.exe" and enjoy.
How to provide publisher Name for MSI installer which is developed using WIX Installer?
While installing my .msi installer it's showing unknown publisher, how to provide a name for publisher?Is it possible to do this within WIX? If so kindly help me how to implement this using WIX installer.
I think you are looking to avoid the security warning that is displayed when someone installs your setup. For this you would need to sign the setup with your certificate and a private key. You can try to do this by following the steps explained in the following links:
How to Digitally Sign Microsoft Files
Signing .MSI and .EXE files
Everything you need to know about Authenticode Code Signing
Assuming you are looking for a publisher name in the control panel Programs and Features. You could use the Manufacturer attribute in your Product tag.
<Product Id="PUT-YOUR-GUID"
Manufacturer="PublisherName"
Name="ProductName"
UpgradeCode="PUT-YOUR-GUID"
Version="1.0.0">
Using WiX's in-built tool insignia is fairly straight-forward. Here's the steps to do code-sign a WiX MSI:
Add signtool to my PATH. It is commonly found in C:\Program Files (x86)\Windows Kits\10\bin\x64 or, more recently, C:\Program Files (x86)\Windows Kits\10\App Certification Kit
Add insignia to my PATH. Your WiX Toolset directory is commonly found at
"C:\Program Files (x86)\WiX Toolset v3.10\bin"
Sign my MSI in a post-build event (MSI Project -> Properties -> Build Events) by calling this:
signtool sign /f "c:\certificates\mycert.pfx" /p cert-password /d "Your Installer Label" /t http://timestamp.verisign.com/scripts/timstamp.dll /v $(TargetFileName)
Further notes and thoughts:
I have also signed the application (I think) by just doing Project Properties -> Signing and enabling click-once manifests, selecting
the certificate and checking the Sign the assembly option.
Here's my similar answer on how to do the same but for a bootstrap bundle: using insignia to sign WiX MSI and bootstrap bundle
We are using WiX to sign and create MSI files and then bundle them into a signed EXE file. The MSIs are generated fine.
Each MSI file contains a command to run at the end to kill the application. In the standard WiX manner, we use CAQuietExec to run a quiet command (we've no Form, so we can't use CloseApplication).
This works just fine for the signed MSI files and also works fine if the MSI file is bundled into an unsigned EXE file.
However, if we sign the EXE, then the signature appears OK, but the kill command causes a 1603 Error Code.
We eventually (by literally commenting out each line in the MSI WXS file, building and running the EXE) isolated the issue to the CAQuietExec line that executes a 'taskkill' command.
Is there a way we can get more information on this? It doesn't make much sense and ensures we can't deploy a bundled EXE file.
I managed to find the problem. We found :
1) .Net 45 rather than .Net4 wouldn't have the issue (i.e. changign the pre-req and out app requirement)
2) The signing should be carried out in Wix
3) Sign all contents AND the MSIs too