7

We want our users to download preconfigured installers of our software for Windows. Pre-configured data consists of settings based on user account data. The customization is to be done in a Java server running on Linux. We need to have those installers digitally signed. Unfortunately we cannot have private signing key on those servers, due to security policy.

Can you think of ways to put some metadata into either MSI or EXE while preserving digital signature or other approaches to fulfill the use case?

EDIT: The requirement is to have a single file download, so unfortunately parallel ini file doesn't fulfill it. It is mostly about providing a set of connection points (specific to a user) - we are not to bother a user as we already know them.

okrasz
  • 3,866
  • 24
  • 15
  • What data would this entail? I am asking due to the discussion found below. Is it just licensing? – Stein Åsmul May 22 '14 at 16:26
  • Mainly where the installed component should connect to (each user has different endpoint including on premises). – okrasz May 23 '14 at 09:43
  • I have a similar requirement and would like to know if you ever get around this ? – Anantha Subramaniam Sep 30 '15 at 06:48
  • 1
    Went with inserting metadata (http://stackoverflow.com/a/24010770/580178). Works for well over a year now without a glitch. The inserted data is a protobuf and signed. The EXE first check the signature of the metadata using public key embeded in EXE. If valid it serializes the protobuf. Any modification will break either the signature of metadata or the EXE (eg. if someone wanted to change public key). – okrasz Sep 30 '15 at 11:04
  • 1
    @AnanthaSubramaniam If it works for you, please upvote that response, so it doesn't scare people with negative value. – okrasz Sep 30 '15 at 16:15
  • The thing is i have already been using that approach for exe's only that i needed the same for msi. So as of now i am not following that approach. – Anantha Subramaniam Oct 01 '15 at 04:50
  • On MSI there is a transformation (MST) that you can embed into MSI. But I think you need to run the MSI with some params then, so plain run would not take them: https://msdn.microsoft.com/en-us/library/aa368347%28v=vs.85%29.aspx – okrasz Oct 01 '15 at 09:55
  • can this be on the fly efficiently as the user downloads an exe? – tofutim Nov 11 '16 at 16:33

4 Answers4

2

No, what you ask for is impossible. You can't modify a file without invalidating it's signature. That's the whole point of signing. You also can't sign a file without having the private key to perform the signing.

Christopher Painter
  • 54,556
  • 6
  • 63
  • 100
  • 1
    I guess it depends on whether the signed MSI can be wrapped in a self-extractor format along with an ini file or something, or if the point is to point straight to a signed MSI or setup.exe. Strangely I have never worked properly with direct signed downloads - I tried it once and thought it too slow to respond. I like the approach of generating an installation email though which provides an HTML formatted email link starting msiexec.exe with properties set. – Stein Åsmul May 22 '14 at 15:24
  • This is what we do now - we have signed MSI which is wrapped into extractor with the metadata. The problem now is that the extractor is not signed. – okrasz May 23 '14 at 09:44
2

I believe Chris is right. However, in the interest of providing a useful starting point for further investigation, here are some thoughts:

Though it is perhaps a questionable design, you could generate an email with the config information on the server and send it to the user so they can automatically kick off the signed installer from your web site with the appropriate settings set in properties by simply clicking a link in an email. I have never tried this, but the MSI SDK does discuss it: A URL-Based Windows Installer Installation Example and Authoring a Fully Verified Signed Installation.

I guess you can also generate an INI file sent by email that can be put next to the signed MSI and the MSI can be designed to read the INI file during installation and apply the settings. You would add a launch condition to require this INI.

If you wrap a config file with a signed MSI in an unsigned self-extractor, I think you eliminate almost all benefits from the signing process. I doubt it helps, but it should be possible to sign an external cab file consumed by an unsigned MSI. Again, I have not tried this, so I just guessing. I am not sure what happens if that MSI is post processed after signing of the cab either. Security-wise I think this approach is sort of nonsense too - few benefits remain.

Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164
  • Sure, you could create a transform and encapsulate it with a bootstrapper but that wasn't really the question. Good luck on building that in Java on Linux. :) – Christopher Painter May 22 '14 at 15:27
  • I think the server must be Java / Apache, he was asking about MSI or EXE. Generating an HTML email with that server should be easy. If all the settings are in the email - if they can be sent unencrypted by email - then there is no need for a wrapper or a bootstrapper I guess. Not sure how this works with the UAC. – Stein Åsmul May 22 '14 at 15:28
  • It's probably just the usual installer overload, trying to do a bunch of configuration during the install instead of when the app first runs. A separate configuration app that deals with all this would solve the problem, AND allow the user to change settings later without uninstalling and reinstalling the product. – PhilDW May 22 '14 at 16:20
  • Good point, didn't think of that as the first option in this case since a single link might do the trick. But I will ask in a comment for the user to clarify. – Stein Åsmul May 22 '14 at 16:27
  • We need some bootstrap information. The installer brings service, therefore there is nothing after installation that could ask user. The requirement from product management is that that there is a single file download and not to ask user anything as we know the settings so why should we bother the user. – okrasz May 23 '14 at 09:49
  • The URL-based installer looks interesting - ISETUPPROPNAME_PROPERTIES would do the trick with metadata. The problem is with the sign step though, as we would need to have private key on internet-accessible server, which is not allowed by security policy. – okrasz May 23 '14 at 10:15
2

Your best bet is to rearchitect your approach. If there are only a few resulting configurations, build them all up ahead of time. Otherwise you need to be able to sign on the fly, or to distribute the options in a way that isn't signed. Here's why:

  • Changing the file is a non-starter, as it invalidates the digital signature and you have no means to re-apply it
  • When you download an exe or msi from the internet, you can't also pass arbitrary command-line parameters
  • Even if you could use multiple files, applying an unsigned mst to an msi will invalidate the signature for purposes of UAC prompts

Here are some ideas to work around those limitations:

  • Ask for the configuration inside your msi's UI sequence. Either ask for the parameters that your server currently attempts to embed, or ask for the options that led to those and use a custom action to calculate and/or retrieve them.
    • Taken to an extreme, this could be: fill out options online; get a code; download the msi; install, entering the code (it retrieves the options). This might be an okay user experience, so long as they don't need to be offline.
  • Find a way to pass parameters. For example it looks like ClickOnce can accept parameters as part of its URL. (See How to: Retrieve Query String Information in an Online ClickOnce Application.) On the surface, it seems like this should allow creating a single ClickOnce application with embedded msi file that uses these parameters to configure the msi. However I cannot say for certain as I have not built such a ClickOnce application, and I'm unclear what footprint it may place on the machine. This may also fail in an offline scenario.
Michael Urman
  • 15,737
  • 2
  • 28
  • 44
  • The ClickOnce idea is something really closest to what I'm looking for. Unfortunately it only works this way if you run it from internet, cannot download and run elsewhere. And not sure if it could have rights elevated to the level of running install - it runs in restricted sandbox; plus it not only runs, but installs itself in system, updates, etc. But very promising overall. – okrasz Jun 03 '14 at 08:35
  • We used to do this with ClickOnce but ClickOnce after all these years is still super buggy and get into a bad state. – tofutim Nov 11 '16 at 15:54
2

Meanwhile I found a way to add data to a signed EXE without invalidating signature. Yes, I also thought it is impossible. It is terrible hack, which works by modifying certificate section, which is not part of signature and it is at the end of file. So you can append to the end of EXE and just do some fixing of section size. I checked it works, signatures are valid, program runs, AntiVirus doesn't complain as well.

Description of the approach:

Working program to add payload:

Obviously, as being hack it may stop working any time.

okrasz
  • 3,866
  • 24
  • 15
  • 1
    I would never seriously consider this approach. What on earth will you do if it stops working suddenly? – Stein Åsmul Jun 12 '14 at 01:15
  • this seems quite clver – tofutim Nov 11 '16 at 16:27
  • 1
    While this might work, it looks cludgy and is breaking the entire point of code-signing (to guarantee that the file has not been changed or corrupted, and to confirm it comes from a specific vendor). I agree with other commentors that you should change your approach or use an outside file with your custom data. – Superbob Jan 03 '17 at 15:29
  • @okrasz Found this again today. I am curious how this turned out for you? – Stein Åsmul Mar 11 '18 at 19:42
  • This approach definitely not recommended. We need to summon Raymond Chen! I will draw 777 on the ground. Maybe he shows up :-) (or a Boeing will come crashing down). – Stein Åsmul Jan 23 '19 at 17:50
  • it makes sense though right? I mean why can't you add data to the signature? – tofutim May 14 '20 at 22:07