[每天解决一问题系列 - 0005] WiX Burn 如何校验chained package的合法性

问题描述：

项目中使用Wix burn打包，内部包含了多个MSI。有时候会遇到如下错误

Error 0x80091007: Failed to verify hash of payload: SetupProject1.msi 。

问题解析：

首先需要了解Wix Brun校验其payload的原理，主要有如下两种情况：

1）如果MSI有数字签名，则根据MSI的数字签名进行校验，也就是说如果数字签名没有变，Burn不会校验MSI的内容是否变化

2）如果MSI无数字签名，则获取该MSI的SHA1 hash，在安装的时候校验hash。这种情况下，如果MSI的内容发生变化，则无法使用该burn进行安装，必须重新编译。

WIX Brun 源代码 (burn\engine\cache.cpp)

static HRESULT VerifyThenTransferPayload(
    __in BURN_PAYLOAD* pPayload,
    __in_z LPCWSTR wzCachedPath,
    __in_z LPCWSTR wzUnverifiedPayloadPath,
    __in BOOL fMove
    )
{
。。。
 // If the payload has a certificate root public key identifier provided, verify the certificate.
    if (pPayload->pbCertificateRootPublicKeyIdentifier)
    {
        hr = CacheVerifyPayloadSignature(pPayload, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload signature: %ls", wzCachedPath);
    }
    else if (pPayload->pCatalog) // If catalog files are specified, attempt to verify the file with a catalog file
    {
        hr = VerifyPayloadWithCatalog(pPayload, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload signature: %ls", wzCachedPath);
    }
    else if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
    {
        hr = VerifyHash(pPayload->pbHash, pPayload->cbHash, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload hash: %ls", wzCachedPath);
    }
。。。
}

解决方法：

了解了问题的原理，方法就显而易见了。