Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MS] Always verify hash of payloads to verify they are the right payload #4243

Closed
wixbot opened this issue Dec 18, 2013 · 4 comments
Closed
Assignees
Milestone

Comments

@wixbot
Copy link

wixbot commented Dec 18, 2013

We have resolved a number of bugs we would like to contribute back to open source in batches.

  1. Always verify the payload hash against the manifest. (20877) If a user downloads an updated bundle (say, a pre-release and a release) to the same directory where payloads might've existed, merely checking the validity of the Authenticode signature is not sufficient and will end up failing the operation or succeeding with the wrong package(s). This can also affect the self-updating feature if you download to the same directory to use most of the payloads that were unchanged.
  2. Reset the file stream pointer before every hash check. (20895) An unintended side effect of always checking the hash (a bug in No Download #1 above).
  3. If two MSIs share the same CAB, or you rerun layout in the same directory that a partial layout occurred, the layout will fail. (20792)

Originally opened by heaths

@wixbot
Copy link
Author

wixbot commented Jan 30, 2014

If we drop checking for Authenticode, we don't need these changes.

Originally posted by barnson

@wixbot
Copy link
Author

wixbot commented Feb 27, 2014

AssignedTo changed from heaths to robmen

@wixbot
Copy link
Author

wixbot commented May 27, 2014

Fixed by pull request https://github.com/wixtoolset/wix3/pull/46

Originally posted by robmen

@wixbot
Copy link
Author

wixbot commented Jun 5, 2014

Should be fixed in next build.

Originally posted by robmen
Resolution set to fixed
Status changed from Open to Resolved

@wixbot wixbot added this to the v3.9 milestone Dec 20, 2015
@wixbot wixbot closed this as completed Dec 20, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants