Bug #59159 Sign installation packages when appropriate
Submitted: 24 Dec 2010 16:21 Modified: 1 Dec 2016 13:48
Reporter: Santo Leto Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S3 (Non-critical)
Version:5.0, 5.1, 5.5 OS:Windows
Assigned to: CPU Architecture:Any
Tags: msi, packages, sign, UAC

[24 Dec 2010 16:21] Santo Leto 
Description:
When trying to install some mysql tools (downloaded from dev.mysql.com) using msi packages, Windows shows the UAC security warning "The publisher could not be verified. Are you sure you want to run this software?". The Security Warning is not shown when trying to install packages downloaded from edelivery.oracle.com.

- Security Warning is shown in the following packages downloaded from dev.mysql.com: 
mysql-5.5.8-win32.msi, mysql-5.5.8-winx64.msi, mysql-workbench-gpl-5.2.31a-win32.msi, mysql-connector-odbc-5.1.8-win32.msi, mysql-connector-odbc-5.1.8-winx64.msi, mysql-connector-c++-1.1.0-win32.msi, mysql-connector-c++-1.1.0-winx64.msi, mysql-connector-c-6.0.2-win32.msi, mysql-connector-c-6.0.2-win32-vs2005.msi, mysql-connector-c-6.0.2-winx64.msi, mysql-connector-c-6.0.2-winx64-vs2005.msi.

- Security Warning is not shown in the following packages downloaded from dev.mysql.com: 
mysql.data.msi (connector net)

- Security Warning is not shown in the following packages downloaded from edelivery.oracle.com:
mysql-connector-c-commercial-6.0.2-win32.msi, mysql-connector-c-commercial-6.0.2-win32-vs2005.msi, mysql-connector-c++-commercial-1.1.0-win32.msi, mysql.data.msi, mysql-connector-odbc-commercial-5.1.7-win32.msi, mysql-advanced-5.5.8-win32.msi, meb-3.5.2-windows-x86-32bit.msi, mysql-workbench-com-se-5.2.31-win32.msi

Furthermore, as far as I've noted, mysql.data.msi (connector net) - whether you download it from dev.mysql.com or edelivery.oracle.com - is the only msi which has a digital signature by Oracle America, Inc.

Apart from mysql.data.msi, digital signature is missing in all files downloaded from dev.mysql.com which I have listed above, plus in the following list of files downloaded from edelivery.com:		
mysql-connector-c-commercial-6.0.2-win32.msi, mysql-connector-c-commercial-6.0.2-win32-vs2005.msi, mysql-connector-c++-commercial-1.1.0-win32.msi, mysql-connector-odbc-commercial-5.1.7-win32.msi, mysqlmonitoragent-2.3.1.2044-windows-installer.exe, mysqlmonitoragent-2.3.1.2044-windows-update-installer.exe, mysql-advanced-5.5.8-win32.msi, meb-3.5.2-windows-x86-32bit.msi, mysqlmonitor-2.3.1.2046-windows-installer.exe, mysqlmonitor-2.3.1.2046-windows-update-installer.exe

Another thing that I've noted is that the following files:
mysqlmonitoragent-2.3.1.2044-windows-installer.exe, mysqlmonitoragent-2.3.1.2044-windows-update-installer.exe, mysqlmonitor-2.3.1.2046-windows-installer.exe, mysqlmonitor-2.3.1.2046-windows-update-installer.exe

have copyright meta, while all the other msi do not have.

How to repeat:
Download listed packages and try to install.

Suggested fix:
Use Microsoft CryptoAPI Tools to sign installation packages, or other methods.
[24 Dec 2010 19:17] Sveta Smirnova 
Thank you for the report.

Verified as described.
[25 Apr 2011 7:45] Valeriy Kravchuk 
Bug #60954 was marked as a duplicate of this one.
[1 Dec 2016 13:48] Terje Røsten 
Posted by developer:
 
All packages are now properly signed.