Digital Signature Newbie Superfreak3 <Matt.Walker[ at ]synergis.com> 20.06.2007 19:35:47 We are planning on or looking into adding a Digital Signature to our .msi, but not quite sure where to turn or where to start. We use Wise for Windows Installer which provides a Digital Signatures view in which Web URL, Descriptive Name, and Time Stamp URL can be entered. There are also browses to the Credentials File (.spc) and the Private Key File (.pvk). Wise mentions VeriSign in its documentation. I was wondering if you have to purchase a digital signature from an organization like VeriSign or is there a way to create your own digital signature? We are embarking on this journey due to VISTA and the 'friendlier' dialog that is displayed if the installation package is digitally signed. If a digital signature is added to a package destined for a pre-Vista OS, will the behavior of the installation in any way change? Will there be any dialogs that appear to allow the installation due to the addition of a digital signature? The reason I ask this question is because currently, our application will look to update itself by looking for a new .msi. If found, the installation runs silently. If adding a digital signature would alter this behavior (pre-Vista OS), I may have to rethink the digital signature concept at this time because I wouldn't want to have to maintain a separate install for Vista, which would then include the signature. I'm confused and looking for guidance and realize this may not be the best group for these questions, but any help/guidance is greatly appreciated! Thanks in advance for any information!!!

Re: Digital Signature Newbie "Adrian Accinelli" <hclnospamalias2[ at ]newsgroup.nospam> 21.06.2007 21:26:31 "Superfreak3" <Matt.Walker[ at ]synergis.com> wrote in message news:1182368147.204904.233260[ at ]e9g2000prf.googlegroups.com... [Quoted Text] > We are planning on or looking into adding a Digital Signature to > our .msi, but not quite sure where to turn or where to start. We use > Wise for Windows Installer which provides a Digital Signatures view in > which Web URL, Descriptive Name, and Time Stamp URL can be entered. > There are also browses to the Credentials File (.spc) and the Private > Key File (.pvk). > > Wise mentions VeriSign in its documentation. I was wondering if you > have to purchase a digital signature from an organization like > VeriSign or is there a way to create your own digital signature? > > We are embarking on this journey due to VISTA and the 'friendlier' > dialog that is displayed if the installation package is digitally > signed. If a digital signature is added to a package destined for a > pre-Vista OS, will the behavior of the installation in any way > change? Will there be any dialogs that appear to allow the > installation due to the addition of a digital signature? The reason I > ask this question is because currently, our application will look to > update itself by looking for a new .msi. If found, the installation > runs silently. If adding a digital signature would alter this > behavior (pre-Vista OS), I may have to rethink the digital signature > concept at this time because I wouldn't want to have to maintain a > separate install for Vista, which would then include the signature. > > I'm confused and looking for guidance and realize this may not be the > best group for these questions, but any help/guidance is greatly > appreciated! > > Thanks in advance for any information!!! > Generic code signing info: http://msdn2.microsoft.com/en-us/library/ms537361.aspx http://msdn2.microsoft.com/en-us/library/aa140234(office.10).aspx The second link about shows you how to create a test certificate which is useful for local testing only. You shouldn't consider releasing such a package to a customer. I suggest working with test certificates to understand how it really affects things in your environment. You don't have to go with VeriSign to get a digital code signing certificate. That is unless you want to establish a winqual account in order to participate in a windows logo programs/driver signing. Even then your code/driver can be signed with another certificate - you just need a Verisign certificate to sign agreements/packages that will be uploaded to the winqual site itself. Signing will not negatively affect your MSI file use downlevel from Vista. However it won't suddenly allow you to by-pass UAC prompts. Your application will have to be elevated in order to silently run the installation without prompts -- either that or have a service perform the installation for you. Also note that you can sign your MSI file independently from the tool you use to create the MSI package - most MSI creation tools just make it easier to do it automatically (as you can see by the various signing fields in the Wise application). The basic tools (makecert/signtool) are included in the Windows SDK. You can also search the net for step by step instructions on how to use each tool. Sincerely, Adrian Accinelli

Re: Digital Signature Newbie "Dan" <Dan[ at ]NoSpam.com> 21.06.2007 22:19:30 "Superfreak3" <Matt.Walker[ at ]synergis.com> wrote in message news:1182368147.204904.233260[ at ]e9g2000prf.googlegroups.com... [Quoted Text] > We are planning on or looking into adding a Digital Signature to > our .msi, but not quite sure where to turn or where to start. We use > Wise for Windows Installer which provides a Digital Signatures view in > which Web URL, Descriptive Name, and Time Stamp URL can be entered. > There are also browses to the Credentials File (.spc) and the Private > Key File (.pvk). > > Wise mentions VeriSign in its documentation. I was wondering if you > have to purchase a digital signature from an organization like > VeriSign or is there a way to create your own digital signature? You need to purchase a code signing certificate from an authority if you want to avoid the nasty warnings that Windows displays when they try to run your setup. I would not pay the price for a VeriSign certificate unless you want to get the "Works With Vista" certification from Microsoft. I believe they require that you go with VeriSign. I used Thawte (which is actually owned by VeriSign) for a couple years but they aren't as competitive as they used to be in their prices. I just got a new one year code signing cert from Comodo for only $75. I got the deal through a Comodo reseller at https://secure.ksoftware.net/code_signing.html. The price is $85 but I got it for $75 because I'm a member of the Association of Shareware Professionals (http://www.asp-shareware.org).

Re: Digital Signature Newbie Superfreak3 <Matt.Walker[ at ]synergis.com> 02.07.2007 13:55:05 On Jun 21, 5:26 pm, "Adrian Accinelli" <hclnospamali...[ at ]newsgroup.nospam> wrote: [Quoted Text] > "Superfreak3" <Matt.Wal...[ at ]synergis.com> wrote in message > > news:1182368147.204904.233260[ at ]e9g2000prf.googlegroups.com... > > > > > > > We are planning on or looking into adding a Digital Signature to > > our .msi, but not quite sure where to turn or where to start. We use > > Wise for Windows Installer which provides a Digital Signatures view in > > which Web URL, Descriptive Name, and Time Stamp URL can be entered. > > There are also browses to the Credentials File (.spc) and the Private > > Key File (.pvk). > > > Wise mentions VeriSign in its documentation. I was wondering if you > > have to purchase a digital signature from an organization like > > VeriSign or is there a way to create your own digital signature? > > > We are embarking on this journey due to VISTA and the 'friendlier' > > dialog that is displayed if the installation package is digitally > > signed. If a digital signature is added to a package destined for a > > pre-Vista OS, will the behavior of the installation in any way > > change? Will there be any dialogs that appear to allow the > > installation due to the addition of a digital signature? The reason I > > ask this question is because currently, our application will look to > > update itself by looking for a new .msi. If found, the installation > > runs silently. If adding a digital signature would alter this > > behavior (pre-Vista OS), I may have to rethink the digital signature > > concept at this time because I wouldn't want to have to maintain a > > separate install for Vista, which would then include the signature. > > > I'm confused and looking for guidance and realize this may not be the > > best group for these questions, but any help/guidance is greatly > > appreciated! > > > Thanks in advance for any information!!! > > Generic code signing info:http://msdn2.microsoft.com/en-us/library/ms537361.aspxhttp://msdn2.microsoft.com/en-us/library/aa140234(office.10).aspx > > The second link about shows you how to create a test certificate which is > useful for local testing only. You shouldn't consider releasing such a > package to a customer. I suggest working with test certificates to > understand how it really affects things in your environment. > > You don't have to go with VeriSign to get a digital code signing > certificate. That is unless you want to establish a winqual account in > order to participate in a windows logo programs/driver signing. Even then > your code/driver can be signed with another certificate - you just need a > Verisign certificate to sign agreements/packages that will be uploaded to > the winqual site itself. > > Signing will not negatively affect your MSI file use downlevel from Vista. > However it won't suddenly allow you to by-pass UAC prompts. Your > application will have to be elevated in order to silently run the > installation without prompts -- either that or have a service perform the > installation for you. > > Also note that you can sign your MSI file independently from the tool you > use to create the MSI package - most MSI creation tools just make it easier > to do it automatically (as you can see by the various signing fields in the > Wise application). The basic tools (makecert/signtool) are included in the > Windows SDK. You can also search the net for step by step instructions on > how to use each tool. > > Sincerely, > Adrian Accinelli- Hide quoted text - > > - Show quoted text - You say... "Signing will not negatively affect your MSI file use downlevel from Vista. However it won't suddenly allow you to by-pass UAC prompts. Your application will have to be elevated in order to silently run the installation without prompts -- either that or have a service perform the installation for you. " What do you mean by 'your application will have to be elevated in order to silently run the installation without prompts'? Do you mean there is a way to elevate the .msi so it can be run silently? Also, you follow that up with 'either that or have a service perform the installation for you'. How can this be accomplished, with a service? Is there any documentation out there to explain this? The reason I ask these questions it because we currently have an install that is basically writing 'stuff' all over the place with regards to the registry. It also defaults to an installation location under Program Files, which most end users leave unchanged, but is now considered sacred in VISTA so if they are not an Admin (this occurs with UAC disabled in my testing as well) they receive a message indicating the install cannot continue. Our mechanism of updating our client piece is that our application looks to an .ini for various information. If the information indicates an update is available, our .msi is installed silently. This probably will not work any longer in VISTA so I will have to search for an alternative here as well. I've inherited these various installs since starting my new job last December. They basically have to be reworked. Its difficult because there is some third party stuff in there that writes to HKLM, etc., which is tough to deal with in locked down environments where installing users are not Admin's. The workaround in earlier OSs to VISTA was to indicate that Power Users would be an acceptable means of installation. In Vista, this concept seems to no longer apply really. If anyone out there knows of where I can turn for possible consulting services with regard to installation and security, please let me know. It seems as though you really need someone close to or part of Microsoft to guide you through. THANKS IN ADVANCE FOR ANY HELP, INFORMATION, LINKS PROVIDED!!

Re: Digital Signature Newbie "Adrian Accinelli" <hclnospamalias2[ at ]newsgroup.nospam> 05.07.2007 20:48:25 [Quoted Text] >> Adrian Accinelli- Hide quoted text - >> >> - Show quoted text - > > You say... > > "Signing will not negatively affect your MSI file use downlevel from > Vista. > However it won't suddenly allow you to by-pass UAC prompts. Your > application will have to be elevated in order to silently run the > installation without prompts -- either that or have a service perform > the > installation for you. " > > What do you mean by 'your application will have to be elevated in > order to silently run the installation without prompts'? Do you mean > there is a way to elevate the .msi so it can be run silently? Yes. If the process that launches the installation is already elevated then MSI will happily install without prompting and thus you can silently install your msi in this manner. > Also, you follow that up with 'either that or have a service perform > the installation for you'. How can this be accomplished, with a > service? Is there any documentation out there to explain this? A service runs without a filtered token so as long as it is running with sufficient privilege (NT authority\system is good :) it will be able to launch the installation in a similar way that an elevated process can. I don't know of a link for this but if you read up on generic UAC you will eventually see references to using a secure service to launch elevated processes. This is exactly what you can do to launch elevated silent installations. > The reason I ask these questions it because we currently have an > install that is basically writing 'stuff' all over the place with > regards to the registry. It also defaults to an installation location > under Program Files, which most end users leave unchanged, but is now > considered sacred in VISTA so if they are not an Admin (this occurs > with UAC disabled in my testing as well) they receive a message > indicating the install cannot continue. All fixed as long as installation is started from elevated process. > Our mechanism of updating our client piece is that our application > looks to an .ini for various information. If the information > indicates an update is available, our .msi is installed silently. > This probably will not work any longer in VISTA so I will have to > search for an alternative here as well. If you are *not* doing major upgrades then you could get patches installed without UAC prompt provided that MSP is signed and you have the same certificate listed in the MsiDigitialCertificate table and then referenced by the MsiPatchCertificate table in your MSI file. See http://msdn2.microsoft.com/en-us/library/aa370342.aspx. > > I've inherited these various installs since starting my new job last > December. They basically have to be reworked. Its difficult because > there is some third party stuff in there that writes to HKLM, etc., > which is tough to deal with in locked down environments where > installing users are not Admin's. The workaround in earlier OSs to > VISTA was to indicate that Power Users would be an acceptable means of > installation. In Vista, this concept seems to no longer apply really. You'll need to look at your third party stuff to see if there's updates that work properly with Vista. Writing to HKLM is not a good thing for normal applications on Vista but if you *have* to do it then you should isolate this code and elevate it (COM call or separate process - both will provide UAC prompt) when necessary. > > If anyone out there knows of where I can turn for possible consulting > services with regard to installation and security, please let me > know. It seems as though you really need someone close to or part of > Microsoft to guide you through. Can't help you with the consulting part but I will say that if you really read up on UAC -- download all documents you can get from Microsoft/try to look up UAC team blog -- you'll have a good understanding of how to adapt any existing install/generic application to Vista. Sincerely, Adrian Accinelli