markoc
Posts: 11
Joined: Fri May 28, 2021 9:22 am

Problem with secure install properties

Tue Sep 07, 2021 7:39 am

Hi everyone,

We are having difficulties trying to introduce secure install properties into our installer and I was hoping to get some information here on how to integrate this feature.

First of all, we have a configuration file used alongside our .exe file that gives the user of our installer the ability to specify environment variables of our product to be installed. We persist all the variables from the configuration file to registry but we don't want everything to be stored in plain text. We need persistence of variable because we need to implement the possibility of a reinstallation and upgrade of our product.

Also, one important thing to note is that our custom actions are mostly Launch File (which are used to run .bat files) or Run PowerShell Inline Script (that are often used to run either .bat or .ps1 files after some needed preprocessing on our part) types of custom actions.

After marking the desired variables as secure in the Properties component of our project and building it, we run a test installation (First-time install of the product) and it crashes.
The problem is, after the parameters have been read and secured, they get encrypted and stay that way throughout the installation. That causes problems to our custom actions that use those parameters and expect them to be the actual string values the user provided inside of the configuration file, not the encrypted ones.

So, how can we fix this issue? Is there some kind of a decryption algorithm that we could use inside of a Run PowerShell Inline Script custom action that would prepare the parameters for further use throughout the installation?

Best regards,
Marko

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Problem with secure install properties

Wed Sep 08, 2021 10:33 am

Hi Marko,

I think the best way to achieve this is using a pair of 2 properties for a single value, one that will be written in the registry as secure and one that will be called in the custom actions as a plain text.

So, to use the properties during installation, you can follow these steps:

1. In the “Properties” page, add 2 new properties like this:
  • PLAINTEXT_PROP1 which does not have “Secure property” checked.
  • SECURE_PROP1 with “Secure property” checked.
secureProp.png
secureProp.png (16.91KiB)Viewed 20130 times

2. In the “Registry” page use the SECURE_PROP1 property.

3. From the “Dialogs” page, also use the SECURE_PROP1 property like in the screenshot:
secureProp1.png
secureProp1.png (45.37KiB)Viewed 20130 times

4. Now we need to save the input as a plain text. Go to the “Custom Actions” page and add a “Set installer property” custom action with sequence.
Since the encrypt function is called under “Install Execution Stage” → “Preparing” action group, you need to add this custom action before “Preparing” stage and configure it like this:
setProperty.png
setProperty.png (44.36KiB)Viewed 20130 times
Now you can use the “PLAINTEXT_PROP1” property in your scripts. You need to do the above steps for all the properties you want to use.

Attached is a sample project. Have a look at it, I added a MessageBox on install time which displays the PLAINTEXT_PROP1 and if you check the registry the value there is encrypted.


Hope this helps! If you have any other questions please don’t hesitate to contact us.

Best regards,
Liviu
Attachments
Your Application.aip
(16.77KiB)Downloaded 624 times
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 11
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Thu Sep 09, 2021 12:36 pm

Hi Liviu,

First of all, thank you for the quick answer and for the time taken to create a project to demonstrate your proposed solution.

Unfortunately, this solution does not fix our problem. Although it fixes the problem on a First install type of installation, it will not fix the problem on trying to repair an existing installation or trying to upgrade the current product to a newer version of it.
We can only use the persisted parameters when doing a repair/upgrade process as the copies of those parameters, as you suggested, will not get persisted anywhere and we will not be able to use them in our custom actions.

To us, it looks like the only option for our use-case would be to have a custom action to fetch secure parameters from registry on a repair/upgrade job and decrypt them and store them in copies of properties for further use throughout the process.
Is there a way to do something like that in a Run PowerShell Inline Script custom action? Possibly use a .dll or something similar to decrypt the secure parameters?

Best regards,
Marko

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Problem with secure install properties

Thu Sep 09, 2021 3:01 pm

Hi Marko,
Is there a way to do something like that in a Run PowerShell Inline Script custom action? Possibly use a .dll or something similar to decrypt the secure parameters?
Yes, based on the solutions exposed on the Applying patch is changing service start type forum thread, I was able to adapt this to what you need.

First of all, there are two functions from the "Secureprop.dll" which we need to call in order to decrypt your property. One is the "GetRevealedTextLength" which will return the length of the plain text, to which we need to add 1 more unit, because the next function (which will reveal our text) is developed to also take in consideration the null character that is present at the end of the string. Without doing so, the revealed text will miss its last character (for instance, for a property having its value: "YourValue" --> the "RevealText" function will return "YourValu", without the "e").

Please read the discussion from the above forum thread and follow these steps:

1. From the "Files and Folders" page add "SecureProp.dll" as a temporary file by pressing the "Add temporary files" button from the toolbar. The SecureProp.dll can be found at the following location:

Code: Select all

C:\Program Files (x86)\Caphyon\Advanced Installer 18.5\custact\x86
2. The properties are the same like in my previous reply, with only one mention. The property that you are trying to secure, in my case "SECURE_PROP1", must have the "Set persistent property" attribute set, so its value is kept during the Maintenance Mode.

3. Schedule the Custom Actions after the "Install Execution Stage" → "Searches" action group and configure them like in the attached .aip project. These custom actions are:
  • Call function from standard DLL: getLength, getRevealed.
  • PowerShellScriptInline: increaseLengthwith1.
    The MessageBox custom actions are only for testing purpose.
4. Build and run the attached project 2 times. The second time start the repair mode and you will see your initial input decrypted.

For the first time install I think you can use the first solution.

Let me know if this helped!

Best regards,
Liviu
Attachments
Your Application.aip
(23.41KiB)Downloaded 667 times
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 11
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Tue Sep 21, 2021 7:16 am

Hi Liviu,

First of all, my apologies for the really late response and thank you again for your time.

We haven't had the time to actually test this solution but once when it is again on our agenda we will give it a go and I will update this thread to let you know if everything went according to plan.

Best regards,
Marko

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Problem with secure install properties

Tue Sep 21, 2021 8:24 am

You are always welcome, Marko!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 11
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Fri Oct 29, 2021 9:28 am

Hi Liviu,

I tested your proposed solution and, although it works as expected when repairing the installation the first time, it will not work for any subsequent repair jobs.

Running the second repair job triggers the AI_SecureProperty action again and that will fetch the secured property from registry and resecure it. Trying to decrypt the encrypted value would result in getting the value of the parameter after the first AI_SecureProperty action, not the original value that is needed. The same would happen when running the third, fourth, ... n-th repair job as well, you would get the encrypted value of the (n-1)th repair job.

I will give you a short example: let's say we decided to input the value test on the Testing dialog of the solution you provided. After the installation is done, the property is securely stored in registry as 4C99BAA4D793F603. Running the first repair job will decrypt the stored value of the secured property just fine but it will also resecure it and store to registry now as 0C999CA49D93BB0327808D539E42F311FFFB3C7AFC805F00B196CC076C688522. Running the next repair job will now decrypt the stored value into the value of the first secure action, 4C99BAA4D793F603. The stored value will get resecured again.

So, the problem seems to be the AI_SecureProperty action that gets called every time an installation job has been run. Is there any way to disable that action on repair jobs? That would probably solve our problem.

Kind regards,
Marko

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Problem with secure install properties

Mon Nov 01, 2021 11:33 am

Hi Marko,

You can try to condition the custom action that encrypts the property, in the "Table Editor" page, with a condition as it follows:

Code: Select all

NOT AI_MAINT

This way, the property will not be encrypted again during the Maintenance Mode, therefore its value will be preserved.
Ai_SecureProperty.png
Ai_SecureProperty.png (141.49KiB)Viewed 13241 times

Please let me know if that helped!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

markoc
Posts: 11
Joined: Fri May 28, 2021 9:22 am

Re: Problem with secure install properties

Wed Nov 03, 2021 9:41 am

Hi Liviu,

This looks like it would do the job but I don't see the Table Editor page in my project... Is it not usable on a Professional licence? If not, is there any other way of disabling the action without using the Table Editor?

Best regards,
Marko

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Problem with secure install properties

Wed Nov 03, 2021 1:00 pm

Hello Marko,

Please disregard my last answer.

I was able to find what was the problem there.

Basically in my previous attached project, we decrypt the property (SECURE_PROP1) and we save it in another property. Then when the AI_SecureProperty runs again, it encrypts the SECURE_PROP1 which was not stored as decrypted. So this is normal behavior.

To avoid this. we need to save the decrypted value into the same property as the encrypted value. Go to the Custom Actions page and on the getRevealed custom action change the property to SECURE_PROP1:
SecureProp.png
SecureProp.png (173.83KiB)Viewed 12999 times
Also you can find attached the .aip with this change.

Hope this helps!

Best regards,
Liviu
Attachments
Your Application.aip
(23.4KiB)Downloaded 449 times
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”