I am trying to deploy some MVC4 web apps with secure bindings on Windows Server 2008R2 and WiX 3.6 (stable)
I am desperately trying to get this to work without resorting to writing a follow-up powershell script or my own custom action.
The WiX iis:Certificate extension wants to install the certificate for me first before I can use it. That's not going to work in a production environment. The certificate is not going to be available to the installer at any time in .cer or .pfx form. It will already be deployed on the target machine in the localMachine/my store where you'd normally go when installing manually with the IIS7 snap-in. I will want the installer to be able to reference it by supplying any of the following: thumbprint, Friendly id or perhaps find it matching the web site host header binding pattern.
Is there any way of referencing a pre-installed certificate in WiX script without having the original .pfx file and password at build time or install time? (I got these last two scenarios working fine in test, but it isn't what the client wants).
Thanks.
I had a similar requirement to you so I wrote a post about it:
http://manyrootsofallevilrants.blogspot.co.uk/2013/07/assign-certificate-set-https-binding.html
Well it's been a while since I posted this.
Since then, I got on with it and wrote a custom action in C# to do the heavy lifting. Powershell didn't seem to give me the control of failure modes that I needed.
I can't post the code - since it belongs to my client, but I can say that I used Microsoft.Web.Administration in a similar way to that described in this question: Programatically Import Cert Into IIS. I hope that helps. It wasn't the answer I wanted, but it did solve the problem.
Related
I currently spike with WiX 3.11.2 to build a burn bootstrapping application that downloads packages from a local http server currently without any authentication.
Due to a lack of documentation of WiX burn I mostly reverse engineered how to set the UpdateLocation + how to check for updates via skimming through the UpdateViewModel.cs from the Wix3 repository.
As far as I have read, the
Engine.SetDownloadSource(ea.PackageOrContainerId,ea.PayloadId, dlUrl,user,pass);
can be used to download with no AUTH (last 2 parameters null) or plain authentication. Without authentication I already have a working prototype - but I will need the possibility to authenticate against a OAUTH secured web server.
If I were to need for instance to download behind a OAUTH2 authentication would the best practice be to use the OnResolveSourdce Event and instead of setting the Result to Result.Download, just do it myself with OAUTH2 libraries and download it to the ea.LocalSource so the engine basically thinks that the source has always been already available?
My second question is with regards to the UpdateLocation.
In the OnDetectUpdateBegin event I can set the ea.Result to Result.Ok if I want to check for upates - but I would like to be able to change the UpdateLocation during runtime, similar to what the Visual Studio Installer allows - to have different ReleaseFeeds, something like PROD or TESTING or Preview.
is there any possiblity to tell the Engine to set the UpdateLocation to a different URI? It would seem that the OnDetectUpdateBegin event would be perfect to change that, but the ea.UpdateLocation only has a Get, and I did not find a Engine.SetUpdate location or anything similar.
If I am not mistaken the VStudio installer is also built upon WiX so I would presume it should be somehow possible - am I missing something here?
Greetings good people of stackoverflow.
I have made an msi-installer with WIX and some custom actions built in C#. The main reason for this installer is that the original software package we want to silently install, doesn’t support this in a good way. To circumvent this issue, I extracted the files needed and put them in my own installer.
The software itself is an HMI/SCADA system containing two main types: Server and client runtimes. My focus is on the client side. This is needed to run projects made in the SCADA “IDE”.
So, my package installs the client-side SCADA, the project and my custom action creates an ODBC-connection.
The client runtime installs in the exact folders as it would have been with the original MSI i.e in C:\ProgamFiles. The SCADA client project installs in C:\ProgramData. The custom action creates an ODBC using C# and Registry.LocalMachine. The custom action also makes some changes to some textfiles in the SCADA client project in ProgramData.
The installation works well when it’s running from command prompt with “msiexec /quiet /i “Installerproject.msi”.
With all this in mind, there is one customer with an IT department that uses this package to roll out on its user’s machines. They get stuck in SmartScreen and must manually push “Run anyway”. The message is:
Microsoft Defender SmartScreen prevented an unrecognised app from
starting, Running this app might put your PC at risk.
App: “My installer name”
Publisher: Unknown.
I’ve tried use this installer on virtual machines and only with command prompt, and it doesn’t show this message.
I’m not sure what to do. Is the only way to use EV certs? Even if the original software is issued as a trusted publisher? What’s your take on this? I really need some guidance.
Best regards
Thanks Scaler for the nudge to the right direction. I have signed the installer with a CodeSigning certificate.
I am trying to install a privileged helper tool to perform some elevated work. I am using SMJobBless for the same.
I am able to install the tool fine and also able to communicate with it. I am using Mac OS X 10.8.4 and using NSXPCConnection for the same.
I have added .mach service in the plist which will be installed in /Library/LaunchDaemons. I am using [initWithMachServiceName:options:] in the app as the helper is privileged tool and [– initWithMachServiceName:] in the helper to listen. The communication is working fine.
But the problem is I tried the same communication with another application I created which did not have any codesign at all (the helper tool installer earlier was codesigned). I tried to connect to the mach service of the helper tool and was able to connect easily. This is a problem because anybody can communicate with it then and make it do anything.
I wanted some way to securely communicate between my application and the helper tool.
Thanks a lot.
As you've said that you're not signing the second app, I believe that that is the problem that is allowing a 2nd app from calling the helper application. From the Apple docs and specifically the ReadMe file in SMJobBless, it states: -
The Service Management framework uses code signatures to ensure that the helper tool is the one expected to be run by the main application
This document should be able to assist you in getting the helper app correctly associated with its owner.
Note that it references a python script, which is provided here.
Answering my own question: I had logged a radar bug for the same and Apple said that the behavior was intended:
"It is up to the privileged helper to not expose insecure operations"
There was a challenging situation happened when i was working with install to provide product key validation. I had to use C++ unmanaged code to validate the key. Actually we had the main validation logic written in C# and I had to create a mixed project. Problem was not stopped only with these, it continued. Since I used VC++ code, it expected atleast the VC++ runtime redistributable to be installed in the client machine. I thought of dropping the plan to migrate our install to Wix because of these kind of problems.
But I came to know that there is a nice and very cool feature that DTF is available in Wix to integrate any kind of actions in C#. I used it and could integrate the key validation in couple of hours and till now it is working fine in all client machine I implemented before 6 month.
Do you have any interesting moment or nice experience with DTF?
Search my blog at http://blog.deploymentengineering.com for DTF and you'll find a lot of useful content. I love DTF but I still believe that the best solution is to avoid a CA whenever possible in the first place. C#, like VBScript before it, is so luring that it tends to suck imperative thinking developers into writing CAs when not needed. I believe this is the reason DTF wasn't released for so long.
At my day job my approval is required for anyone who believes they need a CA. I instruct the developers on basic MSI philosphy, how to use DTF, how to attach a debugger and I make it clear that they are on the hook if it ever has any issues. The result is very few but well written CAs in our product line.
I have written several .NET CAs to support our WiX based installs:
Managed Wrapper around HTTPAPI.DLL - supports creating IP/Port SSL bindings and HTTP Url ACLs for use in deploying WCF services. I plan to turn this one into a Wix Extension. It was very interesting learning how to properly handle rollbacks, etc.
SSL Picker dialog that displays all the SSL certificates on the system and allows you to pick one.
SQL Server browser dialog - lets you browse your network for SQL Servers and then browse SQL Servers for Databases. Optionally uses impersonation. This is for crafting a connection string.
I am in the process of writing a set of CAs that will use the Microsoft.Web.Administration assembly to do native installs of web applications on IIS 7 (without requiring the IIS 6 Metabase Compatibilty feature be installed).
First off, the C#/DTF custom actions are still custom actions (no magic here :-)), so you should follow all the various CA guidelines working with this kind as well. It simplifies most of MSI tasks by abstracting low-level API behind the high level well-designed classes. Also, keep in mind that you can use managed code CA only in case the target machine has .NET installed (or install it as a prerequisite). Finally, the dtf.chm documentation which is distributed along with WiX toolset has some simple, but self-explanatory examples.
Hope this helps.
I check all over the net and i can't find a way to get the new version of subtext without using the Web platform installer? Why do we need to install a installer in order to get the source code? what's the purpose of this additional hoop? does anyone know how to get any of the web app on the web gallery without using the web platform installer?
edit: ok, i find it on the link text
still what is the purpose of the web installer? why not just give us the source?
The Web Platform Installer is used to download and install the product on your machine. It can handle things like applying the appropriate IIS settings, setting permissions on the file system, etc...
So it's great for getting a running instance of Subtext or other web software working on a server.
If you want the source code, go to http://code.google.com/p/subtext