WiX Toolset
Supply chain assurance and WiX V4. #7746
Unanswered
rodwiddowson
asked this question in
Questions
Replies: 1 comment
-
|
I wrote a PR for the 'msbuild' documentation. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I am hoping you can provide me with a steer to help me adopt WiX V4 for our installers.
I have converted of one of them and it was remarkably easy to do given the size of the underlying changes. Thank you.
I am now moving to the problem of supply chain assurance. As background: since the SolarWinds thing, the (Open Source) project that I am proud to contribute to has been trying to protect our deployers' and our own supply chains. The details are here [1], but the bottom line is that we try to make sure that every tool and every library we use has not been tampered with since it emerged from the development team's build process.
I am not a .NET developer (most of my Windows work is done in kernel mode) but after some research I have determined that your NuGet packages (including your extensions) are signed by a key with SHA256 hash ending 18BE0B54986. From further research it seems to me that if I dive into msbuild I will be able to construct a project to build our installers such that only packages that you have signed can be used. This is great (and much more than is available natively to most java programmers).
So, this all boils down to two questions:
The first is a meta-question - will this work? All my testing so far has been done from the command line and I am just speculating (based on my reading the MS documentation ) that I can build an MSBUILD project to enforce things the way we need.
The second question is one we have for many tools developers: We need to be able to do independent verification that the certificate and key we're verifying against is indeed the one you intend, so that we don't find ourselves incorrectly verifying against a key that isn't yours.
This is usually done by listing the (public part of) the keys on a project owned website [2], and some people chose to check them into their source repository[3]. I haven't been able to find them for you - can you point us at them?
I'd appreciate any help you can provide to get me through this knot-hole - if I can get our installers building and passing our supply chain tests I am happy to try to reciprocate by producing some sort of "how to" guide for others.
[1] https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/3269918721/Supply+Chain+Defence+for+the+Shibboleth+Java+Products
[2] https://downloads.apache.org/logging/KEYS
[3] https://github.com/eclipse/jetty.project/blob/jetty-11.0.16/KEYS.txt
Beta Was this translation helpful? Give feedback.
All reactions