2 replies to this topic

[ewwallace]

The task of packaging PGP Corporate Desktop v8.0.3 (the latest-and-greatest) is evil, pure evil. I don't know of anyone who's succeeded in capturing the install, because of the various service and driver Registry keys that the packaging tools don't do too well with. Leaving any of these out leaves either the program or the OS broken (disabling the keyboard, mouse and WinLogon!), or both!

The only "trustworthy" way is to make a custom installer (old, pre-MSI InstallShield SETUP.EXE) with PGP Admin, with the settings as you want them.

This custom SETUP.EXE allows none of the InstallShield silent SETUP.ISS options (nor any command-line options for that matter), so you can wrap it without UI scripting tools like AutoIt/ScriptIt (which I've done--in fact, I've got it all wrapped up in a nice MSI complete with permissions, uninstall, the works).

However, this little SETUP.EXE also has some magic bit in it that's set to detect if the current user has the local administrator permissions to complete the install... as would be sensible. But there's a MAJOR flaw in the way it's implemented! You see, if the currently logged-in user is an average, unprivileged account and you run the custom SETUP.EXE from RunAs or the SMS service account--with full local administrator privileges--the darn SETUP.EXE will give an error message saying, "PGP 8.0.3 could not be installed, contact your administrator"--this is the error message it gives you only when you try to run the setup from a non-admin account! ARRRGGHH!

I am not an InstallShield expert, and I don't really have the tools to crack open the compiled ISScript in the SETUP.EXE. I've also submitted more than my two cents worth to PGP Corporation, and they don't give a darn what I think. (Maybe their marketing people will be a little more concern when the expose and how-to-get-around-it hits my website...)

So, in short, anyone have any ideas?

[ewwallace]

I am overjoyed! Last night I found a simple yet effective work-around...

I kept the MSI wrapper package as-is, running with admin rights, but added two new little scripts as custom actions. The first goes just before the custom PGP SETUP.EXE, and it temporarily adds the logged-in (unprivileged) username to the local Administrators group. The SETUP.EXE is fooled into thinking that the account is a local admin (even though the user hasn't actually got the permissions, since s/he hasn't logged out and back in again for group settings to apply), so it doesn't error out. Then after it completes, another custom action script removes the name from the local Administrators group. The install completes, the machine reboots, and voila! it's done. I already had all the other details in this package worked out--from permissions to user-friendly settings to a clean uninstall, so it's nearly good to go.

I figured I'd let you all know, for posterity's sake... Lots of other people have had trouble trying to package PGP, so if you're one of them are are trying again, drop me a note and I'll see if I can give you a few tips.

[Glytzhkof]

If the PGP MSI package is well authored you should be able to deploy it using group policy instead of doing all that you did. This would mean making an admin image of the setup.exe by running the command line:

[setupfilename].exe /a

Then specify a location where the files should be unpacked. Once you have unpacked the application you could run the msi file with elevated rights and that should be it (or maybe your deployment system has some smart way to give the file temporary admin rights).