Prepping for Patching...

We just received our digital certificate and it appears that it has
been added or applied to our all inclusive .msi installation package
file accordingly. We now get the friendlier UAC prompt listing the
app, company, etc.

Now, what I would like to do is populate the msiPatchCertificate table
as a precursor requirement for credential free patching. However,
this seems to be dependent upon an entry in the msiDigitalCertificate
table. Even though my base install seems to be functioning properly
after application of the signature, there is nothing in my test
package's msiDigitalCertificate table.

I thought I read somewhere that this table is only populated if
external .cab files are signed. If this is correct, we have no
external .cab's as its only the all inclusive .msi.

How can I populate the msiPatchCertificate table if the above is
correct? Would somthing have to be added to the msiDigitalCertificate
table as well. I wouldn't mind populating the information manually.
I would just hope it would be held with subsequent compiles of our
installation via Wise for Windows Installer.

Any help greatly appreciated!

"Superfreak3" <Matt.Walker@synergis.com> wrote in message
news:1187277948.079017.234010@r29g2000hsg.googlegroups.com...
> We just received our digital certificate and it appears that it has
> been added or applied to our all inclusive .msi installation package
> file accordingly. We now get the friendlier UAC prompt listing the
> app, company, etc.
>
> Now, what I would like to do is populate the msiPatchCertificate table
> as a precursor requirement for credential free patching. However,
> this seems to be dependent upon an entry in the msiDigitalCertificate
> table. Even though my base install seems to be functioning properly
> after application of the signature, there is nothing in my test
> package's msiDigitalCertificate table.
>
> I thought I read somewhere that this table is only populated if
> external .cab files are signed. If this is correct, we have no
> external .cab's as its only the all inclusive .msi.
>
> How can I populate the msiPatchCertificate table if the above is
> correct? Would somthing have to be added to the msiDigitalCertificate
> table as well. I wouldn't mind populating the information manually.
> I would just hope it would be held with subsequent compiles of our
> installation via Wise for Windows Installer.
>
> Any help greatly appreciated!
>
Signing of the MSI itself and the population of rows in the various MSI
digital signature related tables in the file itself are independent from one
another.

The final steps to get you going are:

1. Add a new row into the MsiDigitalCertificate table like:

DigitalCertificate CertData
VerisignCodeSignYourCompany2007 <object>

Get <object> by running certmgr.msc and exporting your code signing
certificate (DER encoded binary X.509 .cer is format works) to a file. This
<object> is your certificate file and will be streamed into the table during
your MSI build process -- likely Wise will have dialog related to this
table. If not it should handle custom tables with binary entries and allow
you to specify a file path for <object>. If not buy another tool No not
really -- just use orca to add the row manually and then create a transform
that only includes this change. Now apply the MST to your MSI as a postbuild
script using msitran.exe.


2. Now add a row into the MsiPatchCertificate table
PatchCertificate DigitalCertificate_
2007PatchSignature VerisignCodeSignYourCompany2007

This basically tells the installer that any MSP file that is signed using
the certificate referenced by the row VerisignCodeSignYourCompany2007 in the
MsiDigitialCertificate table should be considered trusted and thus allows
you to bypass UAC prompt on Vista+ when running the patch -- even as
non-admin.

Note the names are arbitrary - since the installer doesn't care. But I like
the idea of somehow conveying the certificate provider, company and year the
certificate became active to an administrator.

Sincerely,
Adrian Accinelli

On Aug 16, 12:49 pm, "Adrian Accinelli"
<hclnospamali...@newsgroup.nospam> wrote:
> "Superfreak3" <Matt.Wal...@synergis.com> wrote in message
>
> news:1187277948.079017.234010@r29g2000hsg.googlegroups.com...
>
>
>
> > We just received our digital certificate and it appears that it has
> > been added or applied to our all inclusive .msi installation package
> > file accordingly. We now get the friendlier UAC prompt listing the
> > app, company, etc.
>
> > Now, what I would like to do is populate the msiPatchCertificate table
> > as a precursor requirement for credential free patching. However,
> > this seems to be dependent upon an entry in the msiDigitalCertificate
> > table. Even though my base install seems to be functioning properly
> > after application of the signature, there is nothing in my test
> > package's msiDigitalCertificate table.
>
> > I thought I read somewhere that this table is only populated if
> > external .cab files are signed. If this is correct, we have no
> > external .cab's as its only the all inclusive .msi.
>
> > How can I populate the msiPatchCertificate table if the above is
> > correct? Would somthing have to be added to the msiDigitalCertificate
> > table as well. I wouldn't mind populating the information manually.
> > I would just hope it would be held with subsequent compiles of our
> > installation via Wise for Windows Installer.
>
> > Any help greatly appreciated!
>
> Signing of the MSI itself and the population of rows in the various MSI
> digital signature related tables in the file itself are independent from one
> another.
>
> The final steps to get you going are:
>
> 1. Add a new row into the MsiDigitalCertificate table like:
>
> DigitalCertificate CertData
> VerisignCodeSignYourCompany2007 <object>
>
> Get <object> by running certmgr.msc and exporting your code signing
> certificate (DER encoded binary X.509 .cer is format works) to a file. This
> <object> is your certificate file and will be streamed into the table during
> your MSI build process -- likely Wise will have dialog related to this
> table. If not it should handle custom tables with binary entries and allow
> you to specify a file path for <object>. If not buy another tool No not
> really -- just use orca to add the row manually and then create a transform
> that only includes this change. Now apply the MST to your MSI as a postbuild
> script using msitran.exe.
>
> 2. Now add a row into the MsiPatchCertificate table
> PatchCertificate DigitalCertificate_
> 2007PatchSignature VerisignCodeSignYourCompany2007
>
> This basically tells the installer that any MSP file that is signed using
> the certificate referenced by the row VerisignCodeSignYourCompany2007 in the
> MsiDigitialCertificate table should be considered trusted and thus allows
> you to bypass UAC prompt on Vista+ when running the patch -- even as
> non-admin.
>
> Note the names are arbitrary - since the installer doesn't care. But I like
> the idea of somehow conveying the certificate provider, company and year the
> certificate became active to an administrator.
>
> Sincerely,
> Adrian Accinelli- Hide quoted text -
>
> - Show quoted text -

OK, here is what I did to sign my .msi. I simply placed our .spc
and .pvk file in Windows or any other directory and browsed to both
via Wise and or Signcode.exe Wizard. Do I have to import my
certificate via certmgr.msc before I can export it, because I can't
find it currently? If so, under which 'node' should I put it? I'm
doing this on my own personal machine as a test before setting this up
on my actual installation build system, so I just want to be sure I
don't screw anything up.

I see to import it only accepts certain file formats. Is there a way
to get the .spc .pvk information into one of these formats?

"Superfreak3" <Matt.Walker@synergis.com> wrote in message
news:1187362684.298702.57970@50g2000hsm.googlegroups.com...
> On Aug 16, 12:49 pm, "Adrian Accinelli"

<< SNIP >>

>
> OK, here is what I did to sign my .msi. I simply placed our .spc
> and .pvk file in Windows or any other directory and browsed to both
> via Wise and or Signcode.exe Wizard. Do I have to import my
> certificate via certmgr.msc before I can export it, because I can't
> find it currently? If so, under which 'node' should I put it? I'm
> doing this on my own personal machine as a test before setting this up
> on my actual installation build system, so I just want to be sure I
> don't screw anything up.
>
> I see to import it only accepts certain file formats. Is there a way
> to get the .spc .pvk information into one of these formats?
>
The dialog you are using in Wise is likely the "package signing" wizard.
That only handles the external MSI signing itself. Ignore that wizard since
you've got that working. Instead you need to find area where the
MsiDigitalCertificate table is accessible in Wise. Maybe through advanced
tables or something?

I think also that the Wise project file like InstallShield when saved in
binary is actually an MSI file so you should try opening it in orca to see
if you can see the signing tables there.

If you can't find it - check help and search for it. Also you should check
Wise forum for other people doing this with Wise.

If there's still no way to get it through the Wise version you are using
then I suggest you use the postbuild transform method I suggested in the
previous post to apply your changes. Except in doing this you will resign
the MSI file since you will have made changes to the file. In this case
it's probably best not to sign with Wise.

As for switching from SPC/PVK to CER it's easy. An SPC is just a formally
packaged set of CER files (simplest answer). The PVK is your private key so
you don't want that going out *ever*. Double click the SPC file which
should bring up the certificate manager. In the right pane should be
probably two certificates (one from your company and another from
certificate provider) -- right click on the one with your company name and
choose export. This brings up a wizard which allows you to create CER file.

Sincerely,
Adrian Accinelli

On Aug 17, 1:30 pm, "Adrian Accinelli"
<hclnospamali...@newsgroup.nospam> wrote:
> "Superfreak3" <Matt.Wal...@synergis.com> wrote in message
>
> news:1187362684.298702.57970@50g2000hsm.googlegroups.com...
>
> > On Aug 16, 12:49 pm, "Adrian Accinelli"
>
> << SNIP >>
>
>
>
> > OK, here is what I did to sign my .msi. I simply placed our .spc
> > and .pvk file in Windows or any other directory and browsed to both
> > via Wise and or Signcode.exe Wizard. Do I have to import my
> > certificate via certmgr.msc before I can export it, because I can't
> > find it currently? If so, under which 'node' should I put it? I'm
> > doing this on my own personal machine as a test before setting this up
> > on my actual installation build system, so I just want to be sure I
> > don't screw anything up.
>
> > I see to import it only accepts certain file formats. Is there a way
> > to get the .spc .pvk information into one of these formats?
>
> The dialog you are using in Wise is likely the "package signing" wizard.
> That only handles the external MSI signing itself. Ignore that wizard since
> you've got that working. Instead you need to find area where the
> MsiDigitalCertificate table is accessible in Wise. Maybe through advanced
> tables or something?
>
> I think also that the Wise project file like InstallShield when saved in
> binary is actually an MSI file so you should try opening it in orca to see
> if you can see the signing tables there.
>
> If you can't find it - check help and search for it. Also you should check
> Wise forum for other people doing this with Wise.
>
> If there's still no way to get it through the Wise version you are using
> then I suggest you use the postbuild transform method I suggested in the
> previous post to apply your changes. Except in doing this you will resign
> the MSI file since you will have made changes to the file. In this case
> it's probably best not to sign with Wise.
>
> As for switching from SPC/PVK to CER it's easy. An SPC is just a formally
> packaged set of CER files (simplest answer). The PVK is your private key so
> you don't want that going out *ever*. Double click the SPC file which
> should bring up the certificate manager. In the right pane should be
> probably two certificates (one from your company and another from
> certificate provider) -- right click on the one with your company name and
> choose export. This brings up a wizard which allows you to create CER file.
>
> Sincerely,
> Adrian Accinelli

Oh, sorry.... I can get to the tables, with no problem in Wise as
they have a tables view as their template file is akin to an .msi
database. It was your last commments I was seeking.

I'll give the export a shot and will probably have more questions on
folding this in to the tables, but I have another quick question....

Does it matter where/on which machine I create the export file from?
In other words, if I create the export file on my testing system, can
I just take that file and use it on my actual build machine?

THANKS FOR THE HELP!!!

On Aug 17, 1:33 pm, Superfreak3 <Matt.Wal...@synergis.com> wrote:
> On Aug 17, 1:30 pm, "Adrian Accinelli"
>
>
>
>
>
> <hclnospamali...@newsgroup.nospam> wrote:
> > "Superfreak3" <Matt.Wal...@synergis.com> wrote in message
>
> >news:1187362684.298702.57970@50g2000hsm.googlegroups.com...
>
> > > On Aug 16, 12:49 pm, "Adrian Accinelli"
>
> > << SNIP >>
>
> > > OK, here is what I did to sign my .msi. I simply placed our .spc
> > > and .pvk file in Windows or any other directory and browsed to both
> > > via Wise and or Signcode.exe Wizard. Do I have to import my
> > > certificate via certmgr.msc before I can export it, because I can't
> > > find it currently? If so, under which 'node' should I put it? I'm
> > > doing this on my own personal machine as a test before setting this up
> > > on my actual installation build system, so I just want to be sure I
> > > don't screw anything up.
>
> > > I see to import it only accepts certain file formats. Is there a way
> > > to get the .spc .pvk information into one of these formats?
>
> > The dialog you are using in Wise is likely the "package signing" wizard.
> > That only handles the external MSI signing itself. Ignore that wizard since
> > you've got that working. Instead you need to find area where the
> > MsiDigitalCertificate table is accessible in Wise. Maybe through advanced
> > tables or something?
>
> > I think also that the Wise project file like InstallShield when saved in
> > binary is actually an MSI file so you should try opening it in orca to see
> > if you can see the signing tables there.
>
> > If you can't find it - check help and search for it. Also you should check
> > Wise forum for other people doing this with Wise.
>
> > If there's still no way to get it through the Wise version you are using
> > then I suggest you use the postbuild transform method I suggested in the
> > previous post to apply your changes. Except in doing this you will resign
> > the MSI file since you will have made changes to the file. In this case
> > it's probably best not to sign with Wise.
>
> > As for switching from SPC/PVK to CER it's easy. An SPC is just a formally
> > packaged set of CER files (simplest answer). The PVK is your private key so
> > you don't want that going out *ever*. Double click the SPC file which
> > should bring up the certificate manager. In the right pane should be
> > probably two certificates (one from your company and another from
> > certificate provider) -- right click on the one with your company name and
> > choose export. This brings up a wizard which allows you to create CER file.
>
> > Sincerely,
> > Adrian Accinelli
>
> Oh, sorry.... I can get to the tables, with no problem in Wise as
> they have a tables view as their template file is akin to an .msi
> database. It was your last commments I was seeking.
>
> I'll give the export a shot and will probably have more questions on
> folding this in to the tables, but I have another quick question....
>
> Does it matter where/on which machine I create the export file from?
> In other words, if I create the export file on my testing system, can
> I just take that file and use it on my actual build machine?
>
> THANKS FOR THE HELP!!!- Hide quoted text -
>
> - Show quoted text -

I populated the tables as you indicated and it seems Wise did grab the
'stuff' for the Binary table properly as I was able to patch a sample
app without having to elevate on Vista with UAC enabled. Thank you so
much for all the help.

If I can use my exported .cer file on any machine I think I may be all
set.

If you could just let me know if that would be OK, I would be most
appreciative.

Thanks again!

"Superfreak3" <Matt.Walker@synergis.com> wrote in message
news:1187374045.112703.270720@g4g2000hsf.googlegroups.com...

<< SNIP>>>
>
> I populated the tables as you indicated and it seems Wise did grab the
> 'stuff' for the Binary table properly as I was able to patch a sample
> app without having to elevate on Vista with UAC enabled. Thank you so
> much for all the help.
Good to hear.

>
> If I can use my exported .cer file on any machine I think I may be all
> set.
>
> If you could just let me know if that would be OK, I would be most
> appreciative.
The public CER file is good anywhere and (theoretically) safe in anyone's
hands -- but really its main purpose in this case is for verifying that your
patches have been signed by your private key (pvk). You definitely want to
setup a secure location for signing and keep pvk in that place only.

Sincerely,
Adrian Accinelli