All geek questions in one place

How to create a pre-configured installer (MSI or EXE) with a valid signature?

We want our users to download pre-configured installers of our Windows software. Preconfigured data consists of settings based on user account information. Setup must be done on a Java server running on Linux. We need these installers to digitally sign. Unfortunately, we cannot have a secret signing key on these servers due to a security policy.

Can you figure out how to put some metadata in MSI or EXE, while maintaining a digital signature or other approaches to the implementation of the use case?

EDIT . The requirement is to download one file, so unfortunately the parallel ini file does not execute it. This mainly concerns the provision of many connection points (user-specific) - we should not bother the user, as we already know.

+6
source share
4 answers

Meanwhile, I found a way to add data to a signed EXE without invalidating the signature. Yes, I also thought it was impossible. This is a terrible hack that works by modifying the certificate section, which is not part of the signature, and is located at the end of the file. That way you can add the end of the exe and just fix the size of the partition. I checked whether this works, signatures are valid, programs are launched, AntiVirus also does not complain.

Description of the approach:

Work program to add payload:

Obviously, being hacked, it can stop working at any time.

+2
source

No, what you ask for is impossible. You cannot modify a file without revoking its signature. This is the whole point of signing. You also cannot sign a file without having a private key to complete the signing.

+2
source

I think Chris is right. However, in the interest of providing a useful starting point for further study, here are a few thoughts:

Although this may be a dubious design, you can create an email with configuration information on the server and send it to the user so that they can automatically launch a signed installer from your website with the appropriate settings specified in the properties simply by clicking on the email link. I have never tried this, but the MSI SDK discusses it: An example of installing a Windows Installer based on a URL and Creating a fully verified signed installation .

I think you can also create an INI file sent by e-mail, which can be placed next to the signed MSI, and MSI can be designed to read the INI file during installation and application settings. You must add a trigger condition to require this INI.

If you close the configuration file with an MSI signed in unsigned self-tuning, I think you will eliminate almost all the benefits of the signing process. I doubt this helps, but it should be possible to sign an external booth file consumed by an unsigned MSI. Again, I have not tried this, so I just guess. I am not sure what will happen if MSI is processed after the cab is signed. For security reasons, I think this approach is something like nonsense - there are few advantages.

+2
source

Itโ€™s best to rebuild your approach. If there are only a few resulting configurations, create them in advance. Otherwise, you should be able to subscribe on the fly or distribute parameters so that they do not sign. That's why:

  • Changing the file is not a starter, as it cancels the digital signature and you do not have the means to reapply it.
  • When you download exe or msi from the Internet, you also cannot pass arbitrary command line parameters
  • Even if you can use multiple files, applying unsigned mst to msi will invalidate the signature for UAC request purposes

Here are some ideas to address these limitations:

  • Request a configuration inside your msi user interface sequence. Either ask for the parameters that your server is trying to implement, or ask for the parameters that led to them, and use custom actions to calculate and / or retrieve them.
    • In extreme cases, this may be: fill out the options online; to get the code; download msi; install, enter the code (it retrieves the parameters). This can be a good user interface if they do not need to be offline.
  • Find a way to pass parameters. For example, it looks like ClickOnce can take parameters as part of its URL. (See How to get query string information in an ClickOnce online application .) Apparently, this should allow you to create one ClickOnce application with an embedded msi file that uses these parameters to configure msi. However, I cannot say for sure that I did not create such a ClickOnce application, and I do not understand what trace it can place on the machine. It may also not work offline.
+2
source

Source: https://habr.com/ru/post/969695/

More articles:


All Articles