Check that MSI digital signature!


The final release of the Windows Live client suite still does not support Windows XP x64 and Windows Server 2003. As expected, some folks have gotten their hands on the MSI installer itself and started making it available for download. Of course, I can’t officially condone this behavior, but more than enforcing EULAs I’m concerned about malicious programs being distributed as part of modified versions of the Windows Live Writer installer.

digital signature detailsIf you’re going to use any MSI that’s supposed to have originated at Microsoft, check for a digital signature first. In Windows Explorer, right-click on the file and choose Properties, then on the Digital Signatures tab. There should be a signature by Microsoft Corporation–click on it and hit Details to show a dialog like the below. Make sure it says "This digital signature is OK."

And if you hit View Certificate, the certificate path should show "Microsoft Root Authority > Microsoft Code Signing PCA > Microsoft Corporation".

You can also check the MD5 hash. The English build of Windows Live Writer 2008 has an md5sum value of 4912b32726dba27d37cf557797c8b8ee.


7 Responses to “Check that MSI digital signature!”

  1. Thanks for the tip Joe.

    Why on earth doesn’t Microsoft provides a full msi installer for us to download ?

    At my workplace the corporate proxy prevents the light installer (WLinstaller.exe) to grap missing parts from the internet. As a result this light installer is useless at work, and hence we try to find out a full installer on the internet, exposing us to a secutiry risk.

  2. Michel, if you contact our official support channels they have a downloadable installer (not MSI).

    Sorry for the inconvenience!

  3. 3 Michael F

    We use a MSFT ISA Server here at work. It is so pathetic that MSFT cannot get it’s act together on this. Zune installer had the same problems. PATHETIC

  4. Very disgruntled about the same issue here. How in earth is it possible that that 2 mb ‘installer’ doesn’t work when you are connected via a proxy? When you try to find an alternative version that does install via a proxy, the microsoft site isn’t helpful either (far from it, it tends to add injury to insult).
    MSN Live works fine via a proxy, but the installer doesn’t?!
    Jeez… makes me wonder what kind of bunch of incompetent and severely retarded ‘programmers’ are working at microsoft.
    The result is that people have to resort to dodgy sites like rapidshare where people share full versions of live messenger with all the associated risks of worms, virusses, trojans, etc.
    Hope you don’t mind me fulminating a bit here to vent some frustration, but I’m a long-time windows user and over the years I’ve cultivated a deep-seated hatred towards everything micro$oft comes up with. It’s not all bad of course, but there are so many bugs, design-flaws and completely unlogical ‘features’ in windows and microsoft applications that really spoil all the fun in using computers.

  5. 5 databoy2k

    I do have to point out one other thing there Joe. Please tell me if you agree with the following statement:

    “If the software works properly on an officially-released Microsoft operating system, it is a redundant exercise in frustration for the setup file to reject that operating system.”

    Sony created the Network Downloader service for the Playstation Portable. It works FLAWLESSLY with Windows XP x64 Edition, but because they also couldn’t be bothered to reset the flags to permit the file to install, they have alienated a potential customer. This is both Sony’s fault for their failure to simply permit the installation as well as Microsoft’s fault for not giving developers adequate preparation resources for their own systems.

    I am now in the many who are willing to adjust the flag in the MSI installers just so that software that truly does support my expensive operating system can be run. You can say shame on me for potentially creating a fertile breeding ground for false and malicious software, but I respond shame on you for limiting users and creating unsupported operating systems. Legitimate workarounds are always subject to dangerous exploits, so who’s fault are those workarounds: the guy who builds them to make his machine work properly, or the system designer (read: Software Programmers, Operating System Designers, etc.) who built a product that necessitates workarounds?

  6. databoy2k, I share your frustration. However, there is a method to the madness. The fact that Windows Live installer doesn’t work on XP x64 isn’t because we forgot to set a flag in the MSI. It was done deliberately, after weeks of discussion between various teams within Windows Live.

    “If the software works properly on an officially-released Microsoft operating system, it is a redundant exercise in frustration for the setup file to reject that operating system.”

    That assumes that we actually know that a piece of software works properly on said operating system. The problem is that, for some teams, establishing that knowledge adds tremendously to the cost of shipping a release–specifically, teams that have to do a lot of manual testing. Since test resources are generally fixed, that translates directly to longer product cycles and/or shorter time for development (i.e. fewer features). Apparently the powers that be have decided that the test cost was too much of a burden, given the number of users on XP x64. At least they decided to support Vista x64, so there is provably a threshold at which we will tip the other way.

    My personal take on this is that XP x64 users are savvy enough that we could do some basic testing and then just have the installer warn that “This program has not been tested on your platform, proceed at your own risk”. However, I’m sure others around here would argue that letting our software be installed on untested platforms is irresponsible, even reckless, and to be honest, I’m not so sure they’d be wrong.

    That being said, the MSIs *are* out there, they don’t even require bit twiddling to work on XP x64 (at least not Writer) and you’ve just read the instructions for verifying that you have a legitimate copy. It’s a bummer that thousands of eager would-be users have to jump through these hoops, but at least they are hoops and not locked doors. That’s really the best we can offer you for now.

  7. Just wanted to toss my two cents in about the installer… make a full installer publicly available please. WLW is an excellent product, hampering it by using funky proxy-inhibited installers is a waste of our time.

%d bloggers like this: