I am planning to include a product-key dialog in the installation process for my new application. This will allow the end user to enter a value that will then be validated by a Custom Action.
However before I go down this route I'd like to know if it is possible to create a read-only MSI file or even better prevent the contents of the file from being viewed.
The reason for this is to prevent an end user with enough MSI Installer knowledge to remove the validation dialog and custom action from the sequence tables in the file and install the product without a valid product key.
Thank you in advance for your advice.
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Prevent MSI file editing
Started by
Paolo_ituk
, Mar 24 2007 18:04
4 replies to this topic
Zweitze
-
- Full Members
- 522 posts
Posted 24 March 2007 - 18:24
MSI setups are intended for reverse engineering so administrators can modify the contents for their own use. If you read the earliest documentation you'll learn that this was the most important requirement of Windows Installer (in those days called Zero Administration Windows).
This makes your objective very hard, since you don't want anyone to do so. For instance you can sign the MSI with a certificate and check the signature during installation, however a system administrator may remove that check too.
The best way out is to remove these 'secrets' out of the MSI and into the software that you install.
This makes your objective very hard, since you don't want anyone to do so. For instance you can sign the MSI with a certificate and check the signature during installation, however a system administrator may remove that check too.
The best way out is to remove these 'secrets' out of the MSI and into the software that you install.
Paolo_ituk
-
- Full Members
- 2 posts
Posted 24 March 2007 - 19:26
Thank you for the information Zweitze, I wil follow your advice.
(Don't Microsoft products and many others include similar key checking algorithms in their installation process ? And if yes, does this mean that anybody could edit the installation file for those products and skip the validation of product keys ?)
(Don't Microsoft products and many others include similar key checking algorithms in their installation process ? And if yes, does this mean that anybody could edit the installation file for those products and skip the validation of product keys ?)
Zweitze
-
- Full Members
- 522 posts
Posted 25 March 2007 - 15:47
Indeed, many products have some kind of checking in their setups. But they also support silent installation, where no information will be asked.
The reason that checking is included in setups is ease of deployment: when an administrator wants to deploy (eg.) Office to all systems in an enterprise, he doesn't want to mail the registration keys to all users. So he adapts the setup to include the registration information, and deploys that setup over the enterprise.
The reason that checking is included in setups is ease of deployment: when an administrator wants to deploy (eg.) Office to all systems in an enterprise, he doesn't want to mail the registration keys to all users. So he adapts the setup to include the registration information, and deploys that setup over the enterprise.
HahtokariMika
-
- Full Members
- 16 posts
Posted 10 April 2007 - 10:43
As a Sysadmin i'll usually have most trouble with products that try to validate users right to use that product during installation. I often need to deploy software to hundreds of workstations. If software requires validation during installation without any support of silent deployment i usually recommend customer to consider some other product for a task.
Working installation and silent installation support is actually signs of product quality. If even installation of software is hard or does not even work in a customer enviroment. How could the actual product be better?
So if you have possibility to evaluate user lisence after installation that is better than brake MSI just to hide your licensing check utility.
For a best solution would be that you could provide utility or mean to give necessary key for in a public property. If you really need to evaluate user license i would use commercial licensing products like macroivision has. Licensing server could be best asnwer then.
Working installation and silent installation support is actually signs of product quality. If even installation of software is hard or does not even work in a customer enviroment. How could the actual product be better?
So if you have possibility to evaluate user lisence after installation that is better than brake MSI just to hide your licensing check utility.
For a best solution would be that you could provide utility or mean to give necessary key for in a public property. If you really need to evaluate user license i would use commercial licensing products like macroivision has. Licensing server could be best asnwer then.