3

I use WIX toolset to generate MSI files and then put them in a single bundle. Then, I sign(wix manual) the engine from the bundle and the bundle itself:

insignia -ib bundle.exe -o engine.exe
signtool sign /v /f test_cert.pfx /p pass1234 /t http://timestamp.globalsign.com/scripts/timstamp.dll engine.exe
insignia -ab engine.exe bundle.exe -o bundle.exe
signtool sign /v /f test_cert.pfx /p pass1234 /t http://timestamp.globalsign.com/scripts/timstamp.dll bundle.exe

I saw some posts describing the process and they included signing all MSI and cabs files as well. I wonder whether it is enough to sign the engine and the bundle and not MSI files. What are the consequences? What is the recommended way?

Chris
  • 839
  • 1
  • 12
  • 30

1 Answers1

4

Yes, it is enough to sign only the Bundle. The Bundle contains hashes of the chained packages to ensure nothing tampers with the packages during transit or installation. The Bundle acts sort of like catalog files for its contained files.

Our recommendation is (generally) to not bother signing anything except the Bundle--unless you must ship the MSIs directly to customers for some other reason (such as GPO based deployments).

Rob Mensching
  • 33,834
  • 5
  • 90
  • 130
  • I have always disliked the fact that an [administrative installation](https://stackoverflow.com/a/5751980/129130) removes the digital certificate for the MSI file. MSI 5 even started caching whole MSI files - with internal cabs - to avoid breaking signatures ([UAC issues](https://www.symantec.com/connect/forums/caching-msi-windowsinstaller-folder)). Another issue, but I assume this is one of the reasons why you recommend to sign the bundle itself and not embedded MSI files? (not that important, just came to mind). I suppose large companies should self-sign their extracted MSI files. Not tried. – Stein Åsmul Mar 26 '19 at 15:49