.net Framework installation

Jul 22, 2016 at 2:33 PM
Edited Jul 22, 2016 at 3:09 PM
I have the following in my project:

static void Main()
    {

        setupproduct();
        string msiproject = buildmsi();

        var bootstrapper = new Bundle(productname,
                                new PackageGroupRef("NetFx461Web"),
                                new MsiPackage(msiproject) { DisplayInternalUI = true });
        bootstrapper.Version = new Version("1.0.0.0");
        bootstrapper.UpgradeCode = new Guid("929339fd-c7c1-43eb-9fad-a24a23b99802");
        bootstrapper.Application = new SilentBootstrapperApplication();
        bootstrapper.Build();

    }
setupproduct just sets the names and stuff about the product in some global strings to make it easier to move to the next product since I have six installs to make if I can manage to get it to work. I'm trying to move to WIx from InnoSetup. (I long for the inno way of installing the .net at this point...)

Then buildmsi is just the standard var project ect that comes with the VS standard template only in a method that returns the BuildMsi.

Everything compiles perfectly if I comment out the bootstrapper. And the resulting MSI installs the product perfectly.

But the bookstrapper is a problem since it errors out with a code of -1. Do you see why its doing it and what I need to do to fix it?

And is SilentBookstrapper the right option? Its the one I saw in the code I found elsewhere in the discussions...

Also another problem is I believe this bootstrapper, if I had written it correctly, will download and install net 4.6.1 if its not already installed. I'd much rather change it to check for a specific net version and then if its not there download and install 4.6.1(or whatever the latest is). Is that possible with WixSharp?
Jul 22, 2016 at 5:16 PM
I'm not sure if I've accomplished anything or not but I created this class

public class DotNetFrameworkInstall
{
public static int netversion;
public static string netdownloadversionurl;

[CustomAction]
public static void  InstallNETIfNeeded(SetupEventArgs e)
{
    if (!IsNET4Installed())
    {
        var netFile = System.IO.Path.ChangeExtension(System.IO.Path.GetTempFileName(), ".exe");
        netdownloadToFile(netdownloadversionurl, netFile); 
        System.Diagnostics.Process.Start(netFile).WaitForExit();
    }
}
static bool IsNET4Installed()
{
    using (var key = Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full\\"))
    {
        if (key == null)
        {
            return false;
        }
        int releaseKey = System.Convert.ToInt32(key.GetValue("Release"));
        return releaseKey >= netversion;
    }
}

static void netdownloadToFile(string url, string file) 
{
    System.Net.WebClient Client = new System.Net.WebClient();
    Client.DownloadFile(url, file);
}
}

Then I assigned the version and the download link to my static class variables
Then added to project.afterinstall += InstallNETIfNeeded;

And that compiles and spits out a msi that installs appropriately.

The problem... all my computers have .net so I don't know if its really working. Is this breaking any rules of Wix or msis?
Jul 22, 2016 at 8:40 PM
Edited Jul 22, 2016 at 10:34 PM
I may have discovered a bug.

I was playing around with my original setup without my class and changed the main to this:

static void Main()
    {

        setupproduct();
        string msiproject = buildmsi();

        var bootstrapper = new Bundle(productname+" And Net FrameWork",
                                new PackageGroupRef("NetFx46Web"),
                                new MsiPackage(msiproject) { DisplayInternalUI = true });
        bootstrapper.Condition = "NOT WIX_IS_NETFRAMEWORK_452_OR_LATER_INSTALLED";
        bootstrapper.Version = Tasks.GetVersionFromFile(msiproject); //new Version("1.0.0.0");
        bootstrapper.UpgradeCode = new System.Guid("929339fd-c7c1-43eb-9fad-a24a23b99802");
        bootstrapper.Application = new SilentBootstrapperApplication();
        bootstrapper.OutFileName = productname + "netfx";

        bootstrapper.Build();

    }
That compiles into an exe that will install the program. (Or at least begins to since I hit cancel when the window with the license appeared since its already installed with the msi)

So the problems seemed to be that the bootstrapper didn't like not having a file name assigned (I noticed it was yelling about using setup.exe which is why I looked into changing that)

But the potential bug is that it also doesn't recognize the PackageGroupRef ID ("NetFx461Web") for net framework 4.6.1 but it does for 4.6.0 and earlier. Or at least the ones that I tested.
Coordinator
Jul 23, 2016 at 10:51 AM
There are a few things points that you may want to review/scrutinize/collect more info about.

I an not convinced you discovered a bug (at least not just yet). All bootstrapper samples that come with Wix# do not set bootstrapper.OutFileName and all of them build sootstrapper without any problems.

There is nothing wrong with using SilentBookstrapper but I am not sure it is the best choice for your case. You have no other msi (with UI) to chain so having setup without any visual feedback is kind of questionable from UX point of view.

Your very first code snippet is practically identical to the "WixBootstrapper_UI" sample. Thus if you cannot build this sampole then your environment somehow is not ready wor WiX/Wix#. However if you can (build the sample) then you may want to check the difference between your and samples PackageGroupRef/MsiPackage definitions.

> I noticed it was yelling about using setup.exe which is why I looked into changing that...
The latest Burn update made 'setup.exe' file name for the output file illegal. Don't ask! Someone decide it's a great security improvement. Wix# provides a work around for this and if it doesn't work fork for some reason I would really like to have a test case so it can be fixed.


In any case, if you still have problems you can compose a simple 'Hello World' style project and share it so I can have a look at it.
Jul 23, 2016 at 4:00 PM
Edited Jul 23, 2016 at 4:51 PM
I just commented out the bootstrapper.Application = new SilentBootstrapperApplication(); and that compiled. Hopefully that will show the net stuff...

It could be on my machine or it could just be me.

However if it is a bug, I believe its not in Wix Sharp. I think its in the toolset itself. Because I used the BuildCmd() to create the Wix source code and tried to compile that.

<?xml version="1.0" encoding="Windows-1252"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Bundle Name="MyProduct And Net FrameWork" Condition="NOT WIX_IS_NETFRAMEWORK_452_OR_LATER_INSTALLED" UpgradeCode="929339fd-c7c1-43eb-9fad-a24a23b99802" Version="1.0.6048.20640" >
<BootstrapperApplicationRef Id="WixStandardBootstrapperApplication.HyperlinkLicense">
  <WixStandardBootstrapperApplication LicenseUrl="" xmlns="http://schemas.microsoft.com/wix/BalExtension" />
</BootstrapperApplicationRef>

<Chain>
  <PackageGroupRef Id="NetFx46Web" />

  <MsiPackage DisplayInternalUI="yes" SourceFile="MyProduct.msi">
    <MsiProperty Name="WIXBUNDLEORIGINALSOURCE" Value="[WixBundleOriginalSource]" />
  </MsiPackage>
</Chain>
</Bundle>
</Wix>

That compiles with the target being 4.6.0 framework using the Build_MyProductNetfx.cmd file created by WixSharp.

But if I change it to the latest 4.6.1 framework with notepad++

<?xml version="1.0" encoding="Windows-1252"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Bundle Name="MyProduct And Net FrameWork" Condition="NOT WIX_IS_NETFRAMEWORK_452_OR_LATER_INSTALLED" UpgradeCode="929339fd-c7c1-43eb-9fad-a24a23b99802" Version="1.0.6048.20640" >
<BootstrapperApplicationRef Id="WixStandardBootstrapperApplication.HyperlinkLicense">
  <WixStandardBootstrapperApplication LicenseUrl="" xmlns="http://schemas.microsoft.com/wix/BalExtension" />
</BootstrapperApplicationRef>

<Chain>
  <PackageGroupRef Id="NetFx461Web" />

  <MsiPackage DisplayInternalUI="yes" SourceFile="MyProduct.msi">
    <MsiProperty Name="WIXBUNDLEORIGINALSOURCE" Value="[WixBundleOriginalSource]" />
  </MsiPackage>
</Chain>
</Bundle>
</Wix>

It does not compile. It says error LGHT0094 : Unresolved reference to symbol 'ChainPackageGroup:NetFx461Web' in section 'Bundle: My Product and Net... (There was more to the line but its not part of the screenshot I took of it since it went off screen)

I think they forgot to include <PackageGroupRef Id="NetFx461Web" /> as a valid entry. But it could also be my machine or me. I'm using the wix 3.10.3.3007 compiler. But I've only been playing with Wix through WixSharp for three days... So...
Coordinator
Jul 24, 2016 at 7:19 AM
OK. It kind of makes sense. WiX comes with some packages prepared for you. This applies to NetFx46Web. And most likely the WiX version you are using just doesn't have NetFx461Web included. But not because they forgot but because they just haven't implemented it yet. At least this is what the "unresolved symbol" error indicates. This means that you will need to check if the very latest WiX version includes the package you are interested in and use it (WiX) if it does. However if it doesn't then you have no other choice but to prepare the package by yourself. The WixBootstrapper sample shows how to prepare Web-based package.

Wix# does change the dev experience a lot comparing to the use of raw WiX however it's not the case for Burn (building bootstrappers). This is where Wix# interface is practically identical to the WiX. Thus it doesn't matter much if you are doing it with WiX or with Wix#. The only significant benefit Wix# brings is the ease of building integrating bootstrapper own UI (BA UI).
Coordinator
Jul 24, 2016 at 7:23 AM
One thing I forgot to comment.

> I just commented out the bootstrapper.Application = new SilentBootstrapperApplication(); and that compiled...
It shouldn't be like that. SilentBootstrapperApplication shouldn't cause any problems. Can you please send me the copy of your project so I can see if there is any real problem with SilentBootstrapperApplication. And, of course, remove any sensitive content from it.

Thank you.
Jul 24, 2016 at 11:20 PM
Oh I don't think there's anything wrong with the SilentBootStrapper other than I wanted there to be some indication that the net framework was installing. And I wasn't sure what other types of bootstrapper applications are available because the one thing I thought of happened to be the abstract class that SilentBootstrapper and probably the others are built off of. So I just commented it out and hoped the default one would do so.

And the weekly build for Wix version 3.11 from July 4th does have the Netfx461web tag :D

The only thing that's not doing as its supposed to is that I still need to assign the bootstrapper output file name to it. If I don't it gives two errors with first one saying it exited with a code of -1 and the second one saying "The file name 'setup.exe' creates an insecure bundle. Windows will load unnecessary compatibility shims into a bundle with that file name. These compatibility shims can be DLL hijacked allowing attackers to compromise your customers' computer. Choose a different bundle file name."

Refusing to allow the name setup.exe is like when Microsoft suddenly decided we couldn't write to the directory our program is stored in. Very Annoying. Or when they decided to make it harder to use the registry. Which I ceased using back then because I thought it was going to become impossible like writing to the directory. Though I never returned to using it, I think they backed off that. Or with the new Windows 10 apps where you can't even load or save files without jumping through a gazillion hoops... Which is why I will continue to focus on the desktop till I can't.

Okay done ranting about Microsoft's decisions ;)

WixSharp is awesome. I remember when they first released Wix I was excited to have access to how Microsoft builds MSIs. Then I saw the xml, couldn't understand why anyone would want to type all that, and ran fast back to innosetup. Using c# to build is awesome. (since c# is my favorite language)

I'm not sure how to attach a project to this or Id include it.
Coordinator
Jul 25, 2016 at 5:29 AM
> Okay done ranting about Microsoft's decisions ;)
Don't we all have something to say about it? I so know your pain :)

I am still strugling to see how just renaming your bootstrapper from setup.exe to my setup.exe is making it safer. Yes the error message hints that this prevents engaging the dodgy shims infrastructure. Wouldn't be more natural just to fix the shims?

It's so similar to MS prohibiting on Vista drag and drop to console app to improve security. Simply because drag and drop is build on top of clipboard infrastructure, which was vulnerable at that time. Why fix the vulnerability if we can make it harder for normal users to use the functionality the normal way? And ironically the hackers could use a raw clipboard if they need to.

Anyway, I believed it's entirely to the developers if they want to use potentially inconvenient "setup.exe". That is why Wix# does renaming on fly. Though it seems like in your case the work around somehow doesn't work. But I cannot reproduce the problem that is why I asked you for a test case. Can you please send it to this address:
Image

Thank you,
Oleg
Jul 25, 2016 at 3:08 PM
I sent you a zip of the setup and the helloworld console app.

Oh yeah I forgot about the drag and drop vista one. Microsoft has done some real boneheaded decisions in the name of security over the years. Each one just more aggravating than the previous. ;)

And I agree we should be allowed to name things whatever we want. And write to our own directory!

It also annoys me that they force us to get code signing certificates or else they'll show a scary warning. If they really were concerned about origins of software, we should be able to create our own certificates and put them on our server. Then tell in the installer where our certificates are located. Then on install, it checks the certificate located on the server, verifies the signature on the program and then there's no hundreds of dollars of cost for something that takes all of 5 seconds to create and makes these CAs rich. Although luckily I found a couple weeks ago startssl and their $59 code signing certificate.

But I'm digressing again lol
Jul 25, 2016 at 5:00 PM
Edited Jul 25, 2016 at 5:15 PM
lol I just checked my email and gmail refused to deliver it because of a security issue.

So I just uploaded it to google drive and shared it with your email address.
Coordinator
Jul 26, 2016 at 1:38 AM
> lol I just checked my email and gmail refused to deliver it because of a security issue.
Of course. Don't we all just love that. :)

A few useful tips: renaming .zip (e.g to .7z) would help. And also, Dropbox public folders allow single step (without extra authorization) access to the content.

And another good reason for not using zip is that on Windows it silently locks extracted .NET assemblies (of course for the sake of security). Thus effectively breaking your software without any single warning.

Mate, we can start another pure ranting thread :)

Anyway, will let you know the investigation outcome as soon as I get the google drive access permission.
Coordinator
Jul 28, 2016 at 2:22 AM
Edited Jul 28, 2016 at 2:22 AM
Just letting you know that I still have no access to the files you sent me the link to. You need to grant me a special permission, publish it with public access or just send as an attachment but rename zip in something obscure:

Image
Jul 28, 2016 at 8:27 PM
I just logged into my gmail and saw you requested permissions. Sorry about the delay. I was busy with something and didn't log in for a bit. I think you should be able to get it now.

I didn't know about the .net and zip not getting along. I guess I should reconsider zipping up my setups from now on. heh. I've been doing it that way since 2003 or there abouts.

Yep ranting thread on security sounds good :D