markoc
Posts: 5
Joined: Fri May 28, 2021 9:22 am

Problem with secure install properties

Tue Sep 07, 2021 7:39 am

Hi everyone,

We are having difficulties trying to introduce secure install properties into our installer and I was hoping to get some information here on how to integrate this feature.

First of all, we have a configuration file used alongside our .exe file that gives the user of our installer the ability to specify environment variables of our product to be installed. We persist all the variables from the configuration file to registry but we don't want everything to be stored in plain text. We need persistence of variable because we need to implement the possibility of a reinstallation and upgrade of our product.

Also, one important thing to note is that our custom actions are mostly Launch File (which are used to run .bat files) or Run PowerShell Inline Script (that are often used to run either .bat or .ps1 files after some needed preprocessing on our part) types of custom actions.

After marking the desired variables as secure in the Properties component of our project and building it, we run a test installation (First-time install of the product) and it crashes.
The problem is, after the parameters have been read and secured, they get encrypted and stay that way throughout the installation. That causes problems to our custom actions that use those parameters and expect them to be the actual string values the user provided inside of the configuration file, not the encrypted ones.

So, how can we fix this issue? Is there some kind of a decryption algorithm that we could use inside of a Run PowerShell Inline Script custom action that would prepare the parameters for further use throughout the installation?

Best regards,
Marko

Liviu
Posts: 148
Joined: Tue Jul 13, 2021 11:29 am
Contact: Website

Re: Problem with secure install properties

Wed Sep 08, 2021 10:33 am

Hi Marko,

I think the best way to achieve this is using a pair of 2 properties for a single value, one that will be written in the registry as secure and one that will be called in the custom actions as a plain text.

So, to use the properties during installation, you can follow these steps:

1. In the “Properties” page, add 2 new properties like this:
  • PLAINTEXT_PROP1 which does not have “Secure property” checked.
  • SECURE_PROP1 with “Secure property” checked.
secureProp.png
secureProp.png (16.91 KiB) Viewed 6085 times

2. In the “Registry” page use the SECURE_PROP1 property.

3. From the “Dialogs” page, also use the SECURE_PROP1 property like in the screenshot:
secureProp1.png
secureProp1.png (45.37 KiB) Viewed 6085 times

4. Now we need to save the input as a plain text. Go to the “Custom Actions” page and add a “Set installer property” custom action with sequence.
Since the encrypt function is called under “Install Execution Stage” → “Preparing” action group, you need to add this custom action before “Preparing” stage and configure it like this:
setProperty.png
setProperty.png (44.36 KiB) Viewed 6085 times
Now you can use the “PLAINTEXT_PROP1” property in your scripts. You need to do the above steps for all the properties you want to use.

Attached is a sample project. Have a look at it, I added a MessageBox on install time which displays the PLAINTEXT_PROP1 and if you check the registry the value there is encrypted.


Hope this helps! If you have any other questions please don’t hesitate to contact us.

Best regards,
Liviu
Attachments
Your Application.aip
(16.77 KiB) Downloaded 134 times
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 5
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Thu Sep 09, 2021 12:36 pm

Hi Liviu,

First of all, thank you for the quick answer and for the time taken to create a project to demonstrate your proposed solution.

Unfortunately, this solution does not fix our problem. Although it fixes the problem on a First install type of installation, it will not fix the problem on trying to repair an existing installation or trying to upgrade the current product to a newer version of it.
We can only use the persisted parameters when doing a repair/upgrade process as the copies of those parameters, as you suggested, will not get persisted anywhere and we will not be able to use them in our custom actions.

To us, it looks like the only option for our use-case would be to have a custom action to fetch secure parameters from registry on a repair/upgrade job and decrypt them and store them in copies of properties for further use throughout the process.
Is there a way to do something like that in a Run PowerShell Inline Script custom action? Possibly use a .dll or something similar to decrypt the secure parameters?

Best regards,
Marko

Liviu
Posts: 148
Joined: Tue Jul 13, 2021 11:29 am
Contact: Website

Re: Problem with secure install properties

Thu Sep 09, 2021 3:01 pm

Hi Marko,
Is there a way to do something like that in a Run PowerShell Inline Script custom action? Possibly use a .dll or something similar to decrypt the secure parameters?
Yes, based on the solutions exposed on the Applying patch is changing service start type forum thread, I was able to adapt this to what you need.

First of all, there are two functions from the "Secureprop.dll" which we need to call in order to decrypt your property. One is the "GetRevealedTextLength" which will return the length of the plain text, to which we need to add 1 more unit, because the next function (which will reveal our text) is developed to also take in consideration the null character that is present at the end of the string. Without doing so, the revealed text will miss its last character (for instance, for a property having its value: "YourValue" --> the "RevealText" function will return "YourValu", without the "e").

Please read the discussion from the above forum thread and follow these steps:

1. From the "Files and Folders" page add "SecureProp.dll" as a temporary file by pressing the "Add temporary files" button from the toolbar. The SecureProp.dll can be found at the following location:

Code: Select all

C:\Program Files (x86)\Caphyon\Advanced Installer 18.5\custact\x86
2. The properties are the same like in my previous reply, with only one mention. The property that you are trying to secure, in my case "SECURE_PROP1", must have the "Set persistent property" attribute set, so its value is kept during the Maintenance Mode.

3. Schedule the Custom Actions after the "Install Execution Stage" → "Searches" action group and configure them like in the attached .aip project. These custom actions are:
  • Call function from standard DLL: getLength, getRevealed.
  • PowerShellScriptInline: increaseLengthwith1.
    The MessageBox custom actions are only for testing purpose.
4. Build and run the attached project 2 times. The second time start the repair mode and you will see your initial input decrypted.

For the first time install I think you can use the first solution.

Let me know if this helped!

Best regards,
Liviu
Attachments
Your Application.aip
(23.41 KiB) Downloaded 146 times
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 5
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Tue Sep 21, 2021 7:16 am

Hi Liviu,

First of all, my apologies for the really late response and thank you again for your time.

We haven't had the time to actually test this solution but once when it is again on our agenda we will give it a go and I will update this thread to let you know if everything went according to plan.

Best regards,
Marko

Liviu
Posts: 148
Joined: Tue Jul 13, 2021 11:29 am
Contact: Website

Re: Problem with secure install properties

Tue Sep 21, 2021 8:24 am

You are always welcome, Marko!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”