Signing a bootstrapper build with the current Wix somehow "invalidates" the bootstrapper

[twoelfer]

Question

Hi.

I used to build and sign my setup using wix 3.11. Now i switched to the current wix/heatwave and have recreated the whole setup project. The setup consists of a bundle (build using the template with license) that contains 4 MSIs that are build in seperate projects. Everything works, up until i sign the bundle/bootstrapper. In unsigned form, the bootstrapper runs and installs the MSIs. Soon as it is signed, when run, it simply opens a "File-Open" dialog. All you can do is close this dialog and the installations terminates.

i tried to extract the engine from the bundle to sign this too and reattach it, but when i try to sign the engine, i only get an (undocumented) error code from trusted signing. For all other files, trusted signing works as it is set up. (i do not know if this problem is in any way related to the first problem.)

Any ideas what might be causing this?

-thomas woelfer

Open Source Maintenance Fee

• I (or an organization I'm a member of) pay the Open Source Maintenance Fee by sponsoring the wixtoolset project because I support the maintainers.

[twoelfer]

So it turns out, both problems have to do with the order of signing. You absolutely have to do it in this order:

1.) Build Bootstrapper bundle
2.) (Do not sign the bootstrapper at this stage)
3.) Remove "engine" with: wix burn detach PATH_TO_BUNDLE -engine PATH_TO_EXTRACT_ENGINE_TO
4.) Sign engine (doesn't matter if using signtool, dotnettool sign, local cert or trusted signing/artifact signing)
5.) Add engine back to bundle (creating a new file) with: wix burn reattach PATH_TO_BUNDLE -engine PATH_TO_SIGNED_ENGINE -o PATH_TO_SIGNED_BUNDLE
(where PATH_TO_SIGNED_ENGINE == PATH_TO_EXTRACT_ENGINE_TO).

If you just sign the bootstrapper and not the engine, none of the tools will complain, but the bootstrapper will be corrupted and running it will give you the "file open" dialog.

If you sign the bootstrapper before detaching the "engine", none of the tools will complain, but you get a corrupted engine that neither signtool nor "dotnet sign" will be able to sign. (signtool will spit out an ERR_BAD_EXEIMAGE error, which was what helped me find the root cause for this.)

It would be very nice if maybe "wix detach" would complain if it finds a bootstrapper that is already signed. (Took me all of 3 days to find out i was beeing dumb.)

[robmen]

Why are you using wix.exe? If you use a .wixproj and override the signing targets, then things are always done in the right order? wix.exe is kinda' "hard mode".

It would be very nice if maybe "wix detach" would complain if it finds a bootstrapper that is already signed.

That seems like a reasonable thing for someone to work on. You might open a feature for it.

[twoelfer]

I am actually using a .wixproj to build the setup. However, although i know it should be possible to make wix sign everythign during the build, i could not figure out what i actually had to do in that project, in order to get signed output. i had seen a remark regarding this in the documentation and trying it the way it was explained only gave me msbuild error message that i could not resolve. (i would very much like to to the signing during the build. i really would.)

so after not beeing able to find out how to make this work in the project, i went for the command line way which (for me) was a lot easier to figure out how to use. This is why i am using wix.exe. if you have any pointers as how i could make this work directly in the build, i'd appreciate this very much.

(i also opened a feature, although i am not sure i did it the right way.)

[twoelfer]

(The emphasis is on the "sign using artifact signing" part of this. This is what i could not get to work inside the wixproj)

[robmen]

Did the documentation on how to sign not help?

[twoelfer]

No, it did not. I don't remember how this didn't work right now (and i'm sure it did not, otherwise i wouldn't have gone the command line way), but i will try to repro the problem tomorrow and post a comment. i think it is something to do with how one needs to interact with artifact signing. But i'll find out and let you known. (btw: Thank you for the toolset. )

[twoelfer]

Well it turns out it was just me beeing dumb. I just followed the documentation and it worked without any problems. I have no idea what might have caused my problems last week. Sorry for the confusion. The documentation is correct. (One might add to it, that you have to sign the BundleEngine and the Bundle, not just the Bundle. Maybe this is where i made the mistake last time.)