Search

Boostrapper package creation corrupted when VS 2012 installed by Daryl J Reed

Active

31
0
Sign in
 to vote
Type: Bug
ID: 758814
Opened: 8/20/2012 3:31:07 PM
Access Restriction: Public
1
Workaround(s)
16
User(s) can reproduce this bug
I have a custom bootstrapper package installed as a prerequisite for my application. When I build this on a system that has Visual Studio 2012 installed, the installation fails with the following error:

Setup has detected that the file '...' has either changed since it was initially published or may be corrupt.

I am building in Visual Studio 2010, with no changes to the package or projects. When Visual Studio 2012 is not installed, this works as expected.
Details (expand)

Visual Studio/Team Foundation Server/.NET Framework Tooling Version

Visual Studio 2012

Steps to reproduce

1) Create a custom bootstrapper package
2) Build installer in Visual Studio 2010
Result: Works as expected

3) Install Visual Studio 2012
4) Build installer in Visual Studio 2010
Result: Error above

Product Language

English

Operating System

Windows 7

Operating System Language

English

Actual results

Setup has detected that the file '...' has either changed since it was initially published or may be corrupt.

Expected results

Prerequisite installs without incident.
File Attachments
0 attachments
Sign in to post a comment.
Posted by bawoodruff on 4/24/2013 at 2:20 PM
I've installed Update 2 to VS 2012 and the problem with including custom packages in VS 2010 for ClickOnce deployment is still broken.
Posted by Microsoft on 2/5/2013 at 4:13 PM
Thank you for your feedback. We are able to reproduce this issue and are fixing it in Visual Studio 2012 Update 2 release that is scheduled to be released in the end of March.
 
Many customers have found it useful to discuss issues like this in the forums (http://www.microsoft.com/communities/forums/default.mspx) where Microsoft and other members of the community can suggest workarounds.  Please keep the feedback coming.
 
Thanks,
The Windows Forms Team
Posted by Olivier Dagenais on 1/10/2013 at 8:57 PM
I have independently arrived at the same conclusion by looking at the MSBuild task and seeing that the .NET 4.0 version generates a SHA1 hash, while the .NET 4.5 version generates a SHA256 hash.

We worked around this defect by signing the package files with a code-signing certificate, bypassing the [now-broken] hash verification.

Ideally, setup.bin would be updated with a hotfix/service pack to verify hashes with the same algorithm used to build the SETUPCFG resource, i.e. SHA256.
Posted by Its Andrew on 1/10/2013 at 2:27 PM
It looks like framework 4.5 uses SHA256 to store each prerequisite hash code for further validation but during the installation it continues to use SHA1 to obtain hash for each prerequisite on disk and then compare SHA1 and SHA256 results. No wonder they differ.
I did this research by reading hash code from setup files created with 4.0 and 4.5 frameworks and comparing them with hash codes I created by myself using System.Security.Cryptography.SHA1 & System.Security.Cryptography.SHA256
Posted by Its Bryan on 1/9/2013 at 10:28 AM
The SHA1 Hash included in the Setup.exe is different after .net 4.5 is installed. We examined the hash included in an earlier Setup.exe and it was a 20 byte value which matched our calculation of the hash. Bootstrappers built with .net 4.5 installed had a longer hash that did not resemble the 20 byte hash.
Posted by Microsoft on 8/20/2012 at 11:27 PM
Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by Microsoft on 8/20/2012 at 3:53 PM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)
Sign in to post a workaround.
Posted by Olivier Dagenais on 1/10/2013 at 9:00 PM
Sign each package file with a code-signing certificate (using signtool.exe); this will bypass the [conflicting] hash verification and verify the files using their public key.
© 2013 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement