juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Temporary files created during install process signed with caphyon sign

Thu Nov 03, 2022 8:19 am

Hi,

We are using Advanced Installer to create our software installers and we have an issue with signed installers.

Some of our clients have something called whitelisting in the Windows SO and it seems that is blocking everything whitch is not signed with the whitlisted signs.

Since the installer is signed with our company sign it seems that installer is creating temporary files whitch are not signed or whitch are signed with caphyon sign whitch is also expired.

This is a log of the files whitch are modified, created or deleted during installer process.
Captura.PNG
Captura.PNG (131.71KiB)Viewed 13711 times
And here are the files without repeating them whith its sign issuer.

Code: Select all

C:\Windows\Installer\MSI5CBF.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI4269.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI5F9F.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI6771.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI5C32.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI42A9.tmp ---> 
C:\Windows\Installer\MSI5B55.tmp ---> 
C:\Windows\Installer\MSI5B15.tmp ---> 
C:\Windows\Installer\MSI5AC6.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI4299.tmp ---> 
C:\Windows\Installer\inprogressinstallinfo.ipi ---> 
C:\Windows\Installer\MSI5BB4.tmp ---> CN=Caphyon SRL, OU=SECURE APPLICATION DEVELOPMENT, O=Caphyon SRL, L=Bucuresti, S=Dolj, C=RO
C:\Windows\Installer\MSI5FDE.tmp ---> 
As you can see the sign is expired in 2020.
Captura_.PNG
Captura_.PNG (16.11KiB)Viewed 13711 times
Why Advanced installer is working in this way and why is not using the files signed with the installer sign?

This is one example of our clients log during install process whitch shows the installer error

Code: Select all

Code Integrity determined that a process (\Device\HarddiskVolume5\DSCCache\Company\Installer.exe) attempted to load (\Device\HarddiskVolume5\AppData\Roaming\Company\Product\install\decoder.dll that did not meet the Enterprise signing level requirements or violated code integrity policy.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Fri Nov 04, 2022 11:23 am

Hello Juan and welcome to our forums,

First of all, could you please let me know what version of Advanced Installer you are using?

We have recently added an improvement that would let you sign the binaries with your own certificate, e.g.:

Your app installation is 100% SAC compatible with Advanced Installer

That being said, I'm assuming you are encountering this because you are using an older version, perhaps.

Looking forward to hearing from you!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Tue Nov 08, 2022 12:20 pm

Catalin wrote: First of all, could you please let me know what version of Advanced Installer you are using?
We are using version 16.7
Catalin wrote: We have recently added an improvement that would let you sign the binaries with your own certificate, e.g.:

Your app installation is 100% SAC compatible with Advanced Installer
Reding this post, specially this part of the text.
Starting with the 19.7 version of Advanced Installer, we've decided to sign with our own certificate all the binary DLLs that we include in the customer setup package. This way, we ensure that all the binary files that we include in the Advanced Installer package kit are SAC compatible.
I supose that maybe the problem will be solved with this feature.

Taking advantage of the fact that I have opened the thread, could you tell me if there is anything we have to take into account when updating the projects to version 20.0?

Thanks so much for your reply. With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Tue Nov 08, 2022 3:20 pm

Hello Juan,
I supose that maybe the problem will be solved with this feature.
You are indeed right.
Taking advantage of the fact that I have opened the thread, could you tell me if there is anything we have to take into account when updating the projects to version 20.0?
Not quite. When you build your project with a newer version, Advanced Installer automatically creates a backup project. Just make sure you keep that somewhere, just in case we will ever need it, because once upgraded, you will no longer be able to edit the 20.0 AIP file (if it was saved with the 20.0 version) using the 16.7 version.

If you have any other questions, please let me know and I will gladly assist.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Thu Nov 10, 2022 5:05 pm

Hi Catalin, Thanks for your reply.

With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Fri Nov 11, 2022 1:09 pm

You are always welcome, Juan!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Fri Dec 02, 2022 8:37 am

Catalin wrote:
Tue Nov 08, 2022 3:20 pm
You are indeed right.
Hi Catalin,

We have been trying with installers created with Advanced Installer 20 and it seems that there are some temporaly files created during installation whitch are not signed with Caphyon sign.

We can see this message in Windows Event Viewer

Code: Select all

Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SysWOW64\msiexec.exe) attempted to load \Device\HarddiskVolume5\Windows\Installer\MSI2E9D.tmp that did not meet the Enterprise signing level requirements.
The operating system of the customer is Windows 10 and have some feature called Code Integrity, I'm not sure if this is a Windows feature or it's third party feature. I have asked the client and I think they don't have so many information on how works in detail this Code Integrity feature.

Can you please take a look at that and see if we can have any fix for this problem?

With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Tue Dec 06, 2022 5:27 pm

Hello Juan,

The temporary file we extract and use are usually extracted in the %temp% or %appdata% folder, as you mentioned before:

Code: Select all

Code Integrity determined that a process (\Device\HarddiskVolume5\DSCCache\Company\Installer.exe) attempted to load (\Device\HarddiskVolume5\AppData\Roaming\Company\Product\install\decoder.dll that did not meet the Enterprise signing level requirements or violated code integrity policy.
In your specific scenario, the file is one from the Windows\Installer folder.

This is a hidden folder on the system that Windows Installer is using to cache information about the MSI packages.

You can read more about it in the following article:

Do not delete your Windows Installer folder

If possible, is there any way in which you can get more details about which file exactly is blocked?

I will discuss with our dev team and see if there's any file we let unsigned by design and will followup after I get more information regarding this.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Tue Dec 06, 2022 5:59 pm

Hello Juan,

As a followup to my last reply, please forward me a download link for your MSI/Setup by email at support at advancedinstaller dot com so we can have a look over it and see if we manage to find something.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Mon Dec 12, 2022 11:07 am

Hi!,

I have send you the installer executable. to the provided email address. Please let me know if you have received it correcly.

With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Mon Dec 12, 2022 4:16 pm

Hello Juan,

It seems that I have not received any email.

If you attached the MSI to the email thread, then perhaps the mail was blocked.

If you can, please try to upload the MSI somewhere (e.g. Google Drive, DropBox, any service really) and forward me the download link.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Mon Dec 12, 2022 5:03 pm

I have send you an invitation to a OneDrive Shared folder whitch contains some installers created with Advanced Installer 20.

In those installers you can see that there are some temporarly files whitch are created by the installer and are not signed with advanced installer signature.

With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Tue Dec 13, 2022 1:00 pm

Hello Juan,

The folder contains 7 installers/EXEs.

In the email you mention:
Here you can see one of the installer whitch have problems in our client with whitelisting.
Which one of those 7 is the one I should check?

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

juan.01
Posts: 18
Joined: Thu Nov 03, 2022 7:35 am

Re: Temporary files created during install process signed with caphyon sign

Tue Dec 13, 2022 1:04 pm

Catalin wrote:
Tue Dec 13, 2022 1:00 pm
Which one of those 7 is the one I should check?
I think that all of them are failing but you can try with FileManager installer or LogService installer.

With regards,

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Temporary files created during install process signed with caphyon sign

Wed Dec 14, 2022 12:09 pm

Hello Juan,

After hours of investigation regarding this Code Integrity feature, I finally managed to reproduce the issue on a VM.

Basically, the issue is that the Caphyon certificate, the one we are using to sign the temporary files is not added to the trusted list.

You've previously mentioned that your users don't know much about this user and this is normal, as this is something controlled by the SysAdmin.

To overcome this behavior, the SysAdmin should be contacted and he should add our certificate in the trusted list.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”