WIX Now Runs on FIPS Enable Machines
As mentioned in my previous blog, there was a user request to enable the Windows Installer XML Toolset (WiX) to run on FIPS enabled machines. This in itself was not a large change. In order to enable it all that needed to be done was to switch the hashing algorithms that we use from a non-compliant one (MD5) to a compliant one (SHA1). The issue came when not wanting to break backwards compatibility with users that have auto generated identifiers now and are using the generated short name feature as well. Second was to ensure that merge modules built with Windows Installer XML Toolset (WiX) and that are embedded in an MSI built with Windows Installer XML Toolset (WiX) do not break (overflow Id length) with FIPS enabled.
This introduces a new command line switch on candle.exe. The argument “-fips” can now be specified in order to switch the hashing algorithms to SHA1. If you are running on a FIPS enabled machine and you do not specify this switch you will now receive an exception clearly telling you that you need to enable this feature. Once this is enabled, it will break the upgrade rules for registry Ids that are auto generated and it will change the values generated for short names;
so please be careful!
Below is what you can expect to see in terms of the output changing.
Registry Id Change
regCF3E4DD8E9FDD1355D6E8ECA2D7DA852
to
regFD39D952EC8973D41843396A15B57055
Short Name Change
djjnosd-.wxs
to
q9_iaha-.wxs
In addition the two static methods in src\wix\CompilerCore.cs have changed to members of that class. Please take note of this if you are using those!