With Windows Installer 4.5 support for multi package transaction, the Windows Installer transaction boundary can span more than a single package. Additionally, UAC credential prompts are tied to a package trust boundary. This means, there can be more than one UAC credential prompt per transaction. If you want to use multi-package transactions and don’t want more than one credential prompt, then this blog is for you.
Here’s what you got to do:
1. Author MsiPackageCertificate table into the package that will be installed first in your multi-package transaction.
2. Sign all the subsequent packages with one of the certificates listed in the MsiPackageCertificate table.
The MsiPackageCertificate table identifies the possible signer certificates used to digitally sign packages that are part of this product install and do not need separate UAC credential prompt to acquire admin approval. Using this table, setup authors can list the digital certificates that the packages that constitute this product will be signed with.
The table definition is listed below:
PackageCertificateThe unique identifier for this row in the MsiPackageCertificate Table.
DigitalCertificate_An external key into the first column of the MsiDigitalCertificate Table. The row indicated in the MsiDigitalCertificate Table contains the binary representation of the signer certificate.
1. User clicks on a setup.exe.
2. Setup.exe calls MsiBeginTransaction.
3. Setup.exe calls MsiInstallProduct to install First.msi that carries an MsiPackageCertificate table that lists the certificates that this package trusts.
4. Windows Installer puts up a credential prompt for administrator’s consent to install First.msi.
5. Upon admin consent, Windows Installer goes about installing the product.
6. Setup.exe calls MsiInstallProduct to install second.msi that is signed by a certificate listed in First.msi package’s MsiPackageCertificate table. Since:
a. Administrator trusted First.msi and
b. Second.msi is signed by a certificate trusted by First.msi,
Windows Installer doesn’t put up any credential prompt for second.msi.
7. Setup.exe finally calls MsiEndTransaction and commits the transaction.
A: Yes. As long as the package was consented explicitly (via UAC prompt) or implicitly (trusted because it is signed by one of the trusted certificates)
A: It will display just the package information. This is analogous to our behavior vis-à-vis MsiPatchCertificate table.
A: Packages signed with revoked certificates will result in separate UAC prompts and cached credentials will not be used for those package installs. This is analogous to our behavior vis-à-vis MsiPatchCertificate table.
A: Yes. If a package carrying MsiPackageCertificate table is accepted as trusted by a UAC credential prompt then any subsequent packages (launched by embedded chainer or otherwise) signed by one of those certificates will also be considered as trusted.
A: No. UAC compliant packages are considered to be per-user packages; hence do not require admin credentials. So, they do not have the ability to add certificates.
A: Yes. If you use the new MsiPackageCertificate table to chain trust across packages. However, there is a caveat to that. If the package has an embedded CAB then that will be stripped when it is cached on to the user's machine. As a result, the certificate that was used to sign that package is no more valid. So, the certificates from MsiPackageCertificate table are not valid anymore and the chain of trust is broken. This is the reason why during uninstall, credential prompt is displayed for all the packages that carried embedded CABs. We do understand this limitation.
[Author: Hemchander Sannidhanam]This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.