Discussion:
[WiX-users] cannot sign large .msi file
Shawn Edwards
2007-11-07 23:39:33 UTC
Permalink
I know this is not a general windows installer or code signing list, but
this troublesome .msi file is generated using Wix3 and I can't imagine
something like this lingering in signtool.exe and I'm just the first person
to stumble upon it.

I have a .wxs file which via candle and light generates a .msi file which is
293,915,648 bytes. When I try to sign it using signtool.exe, I get this:

The following certificate was selected:
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Done Adding Additional Store

Attempting to sign: MyInstaller.msi
SignTool Error: ISignedCode::Sign returned error: 0x80092002
An error occurred during encode or decode operation.
SignTool Error: An error occurred while attempting to sign: MyInstaller.msi

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

The error code description translates to 'something bad happened'.

When I remove enough files to get it down to 287,634,860 bytes, I can sign
it. There's likely some size in the middle that's magic I would guess.

The two above tests were done with the CompressionLevel="high" in the .wxs
file. I have tried with CompressionLevel="none", and it gives an installer
in the 420MB range and it won't sign, either. I'm still messing with this
to see if there is a magic number for the final file size.

I know I could generate an external .cab file, but then the user will have
to download both files or have some kind of self-extracting archive or...
and none of those are considered acceptable by my customer. They want one
file, and no extra disk space required during install.

I'm using Wix 3.0.3419.0 and the signtool.exe from the latest Platform SDK.

I've searched around and I have yet to find anywhere that says I can't have
an .msi file this size. Not knowing the actual changes made to the file as
part of the signing process, I don't know if there is an issue with the .msi
file or if this is an issue with signtool. My bet is this is an issue with
Wix3's generated .msi file, but again, I don't know where to start.

Any and all help is appreciated.
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other mixed
drink.
Richard
2007-11-07 23:57:00 UTC
Permalink
Post by Shawn Edwards
I have a .wxs file which via candle and light generates a .msi file which is
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You'll have to split some of the file payload out into an external
CAB file and sign the CAB file separately. Its a known issue with the
signing tool.
--
"The Direct3D Graphics Pipeline" -- DirectX 9 draft available for download
<http://www.xmission.com/~legalize/book/download/index.html>

Legalize Adulthood! <http://blogs.xmission.com/legalize/>
Shawn Edwards
2007-11-08 04:55:08 UTC
Permalink
Post by Shawn Edwards
Post by Shawn Edwards
I have a .wxs file which via candle and light generates a .msi file
which is
Post by Shawn Edwards
293,915,648 bytes. When I try to sign it using signtool.exe, I get
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You'll have to split some of the file payload out into an external
CAB file and sign the CAB file separately. Its a known issue with the
signing tool.
Thank you for your quick response! This is good and bad news; good to know
that I'm not doing something wrong, but...

I believe you that's it's a known problem, but my customer doesn't. They
want an explanation/bug report/knowledge base article/note from Bill Gate's
mom/etc. Do you know of somewhere this has been discussed in the past?

Thanks again for your help.
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other mixed
drink.
Kelly Leahy
2007-11-08 05:39:23 UTC
Permalink
How about the last lines in this article:

http://msdn2.microsoft.com/en-us/library/aa387764.aspx

See where it says:



Note When signing an executable file that is larger than approximately
300 megabytes, you should use catalog signing with the MakeCat tool rather
than use the SignTool tool. This is because, depending on available system
resources, some applications may not be able to verify the binary
signature of a large file. For more information, see KB article 922225.






"Shawn Edwards" <***@gmail.com>

Sent by: wix-users-***@lists.sourceforge.net
11/07/2007 08:55 PM
Please respond to
***@theedwards.org


To
wix-***@lists.sourceforge.net
cc

Subject
Re: [WiX-users] cannot sign large .msi file
Post by Shawn Edwards
I have a .wxs file which via candle and light generates a .msi file
which is
Post by Shawn Edwards
293,915,648 bytes. When I try to sign it using signtool.exe, I get
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You'll have to split some of the file payload out into an external
CAB file and sign the CAB file separately. Its a known issue with the
signing tool.

Thank you for your quick response! This is good and bad news; good to
know that I'm not doing something wrong, but...

I believe you that's it's a known problem, but my customer doesn't. They
want an explanation/bug report/knowledge base article/note from Bill
Gate's mom/etc. Do you know of somewhere this has been discussed in the
past?

Thanks again for your help.
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other
mixed drink.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
WiX-users mailing list
WiX-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users




**************************************************************************************
This communication is intended solely for the addressee and is
confidential. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. Unless indicated
to the contrary: it does not constitute professional advice or
opinions upon which reliance may be made by the addressee or any
other party, and it should be considered to be a work in progress.
Unless stated otherwise, this communication does not form a prescribed
statement of actuarial opinion under American Academy of Actuaries
guidelines.
**************************************************************************************
Bob Arnson
2007-11-08 06:14:16 UTC
Permalink
*Note* When signing an executable file that is larger than
approximately 300 megabytes, you should use catalog signing with the
_MakeCat_ <http://msdn2.microsoft.com/en-us/library/aa386967.aspx>
tool rather than use the SignTool tool. This is because, depending on
available system resources, some applications may not be able to
verify the binary signature of a large file. For more information, see
KB article _922225_ <http://go.microsoft.com/fwlink/?linkid=84540>.
It also sounds like the bug that's most visible in VS2005 SP1. See
http://blogs.msdn.com/heaths/archive/2007/01/11/workaround-for-error-1718.aspx,
for example.
--
sig://boB
http://joyofsetup.com/
Shawn Edwards
2007-11-08 13:53:09 UTC
Permalink
Perfect. Thanks!
Post by Kelly Leahy
http://msdn2.microsoft.com/en-us/library/aa387764.aspx
*Note* When signing an executable file that is larger than approximately
300 megabytes, you should use catalog signing with the *MakeCat*<http://msdn2.microsoft.com/en-us/library/aa386967.aspx>tool rather than use the SignTool tool. This is because, depending on
available system resources, some applications may not be able to verify the
binary signature of a large file. For more information, see KB article *
922225* <http://go.microsoft.com/fwlink/?linkid=84540>.
11/07/2007 08:55 PM
Please respond to
To
Subject
Re: [WiX-users] cannot sign large .msi file
Post by Shawn Edwards
,
I have a .wxs file which via candle and light generates a .msi file
which is
Post by Shawn Edwards
293,915,648 bytes. When I try to sign it using signtool.exe, I get
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You'll have to split some of the file payload out into an external
CAB file and sign the CAB file separately. Its a known issue with the
signing tool.
Thank you for your quick response! This is good and bad news; good to
know that I'm not doing something wrong, but...
I believe you that's it's a known problem, but my customer doesn't. They
want an explanation/bug report/knowledge base article/note from Bill Gate's
mom/etc. Do you know of somewhere this has been discussed in the past?
Thanks again for your help.
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other
mixed drink.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>
http://get.splunk.com/_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
**************************************************************************************
This communication is intended solely for the addressee and is
confidential. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. Unless indicated
to the contrary: it does not constitute professional advice or
opinions upon which reliance may be made by the addressee or any
other party, and it should be considered to be a work in progress.
Unless stated otherwise, this communication does not form a prescribed
statement of actuarial opinion under American Academy of Actuaries
guidelines.
**************************************************************************************
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other mixed
drink.
Kelly Leahy
2007-11-08 05:39:23 UTC
Permalink
Well, I couldn't find a bug report either, but here's somebody talking
about a fix they used (they used the tool from Mono with minor
modifications)

http://tondrej.blogspot.com/

Kelly



"Shawn Edwards" <***@gmail.com>

Sent by: wix-users-***@lists.sourceforge.net
11/07/2007 08:55 PM
Please respond to
***@theedwards.org


To
wix-***@lists.sourceforge.net
cc

Subject
Re: [WiX-users] cannot sign large .msi file
Post by Shawn Edwards
I have a .wxs file which via candle and light generates a .msi file
which is
Post by Shawn Edwards
293,915,648 bytes. When I try to sign it using signtool.exe, I get
Issued to: MyCompany Inc.
Issued by: VeriSign Class 3 Code Signing 2004 CA
Expires: 5/28/2008 5:59:59 PM
SHA1 hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You'll have to split some of the file payload out into an external
CAB file and sign the CAB file separately. Its a known issue with the
signing tool.

Thank you for your quick response! This is good and bad news; good to
know that I'm not doing something wrong, but...

I believe you that's it's a known problem, but my customer doesn't. They
want an explanation/bug report/knowledge base article/note from Bill
Gate's mom/etc. Do you know of somewhere this has been discussed in the
past?

Thanks again for your help.
--
Shawn Edwards
Beware programmers with screwdrivers. Or, for that matter, any other
mixed drink.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
WiX-users mailing list
WiX-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users




**************************************************************************************
This communication is intended solely for the addressee and is
confidential. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. Unless indicated
to the contrary: it does not constitute professional advice or
opinions upon which reliance may be made by the addressee or any
other party, and it should be considered to be a work in progress.
Unless stated otherwise, this communication does not form a prescribed
statement of actuarial opinion under American Academy of Actuaries
guidelines.
**************************************************************************************
Loading...