OK, I admit to being out of the Vista loop on all levels and I think I need
to get more up to date. I have an older version of SetupBuilder I think 4.3
which has worked fine and for what I am doing I have not needed to move up.
Now comes Vista and I am hearing of new installation standards and
certificates..... Color me lost.... If I am distributing or selling
software for any version of Windows what do I need? Will an installation
built with an older version of SetupBuilder work on Vista? Will an
installation built with the latest version of SetupBuilder for Vista work
for XP, Win2K, etc.? Do I need multiple installations depending on the OS?
What is all of this certificate stuff and where do I find out about them or
get one?

When I went from my own company and consulting to a full time position a few
years ago I let most of my personal development slide. Now I am about to
push some side products of my own and need to get up to speed before I get
myself into a bind.

I appreciate any comments or assistance on this and any other pitfalls I
might need to be aware of in general with Clarion on Vista.....

Bob Healy

Bob,

Vista development for SetupBuilder 6.0 slowed things down here. We are
still working on a "Deploying Applications in a Vista Environment"
whitepaper, a brand new web site and SetupBuilder 6 marketing material.

To answer your question: old installations created with SetupBuilder 4.x
will "execute" on Vista, but you'll see "<Your App> installed incorrectly,
please reinstall yada yada" Vista messages. After that your application
will stop working (in most cases).

You are lost if your installer does not support Vista. The good news is
that SetupBuilder can compile single-file installations for your application
to run correctly on all Windows platforms (Win95, Win98, WinMe, NT4, 2000,
XP, x64, 2003, and Vista)!)

The following best practices are for well-behaved application installations
in a Windows Vista or UAC environment.

1. Use versioned files and do not downgrade files during installation. File
versioning ensures that the final installation state is correct when setup
is complete. Without file versions, some special handing will be needed to
ensure that your installation works properly for many different installation
scenarios. Also, when installing versioned files, do not downgrade versions,
especially shared files. Downgrading versions may be good for your
application, but it frequently causes issues with other applications.

2. Install applications and store per-user data in different locations.
Applications should be installed in a folder under the Programs Files
directory. To configure this, you can use the %PROGRAMFILESDIR% variable in
your [INSTALLDIR] compiler variable. Per-user configuration data should be
stored in files either under the \Users\Username\AppData directory or in
registry keys under the HKEY_CURRENT_USER root. User data, templates, and
application-created files all have proper locations in the \Users\Username
subdirectory. Although this was not enforced in the past, since many users
would run programs with a full administrator access token, applications that
do not place information in the correct location are likely to fail. This is
especially true when virtualization is disabled.

3. Use a consistent folder location when installing shared components.
Shared components should be installed to the Common Files directory by using
the %COMMONFILESDIR% variable. Managing shared components can be problematic
and should be avoided, if possible.

4. Perform setup rollback if an installation fails. Partially installed
software can fail in strange and unexpected ways providing for a poor user
experience. SetupBuilder supports this rollback feature.

5. Do not install application shortcuts all over the user's profile. While
it may be tempting to add your application icon to every known exposure
point in Windows, it often results in users feeling that they have lost
control of their computer. Users are then forced to manually remove these
shortcuts to return the computer to a desired look and feel. If the
developer wants to add icons to the desktop, ask the user for permission
during the installation. Windows Vista addresses discoverability of
applications post install and includes the most recently used application
list to avoid excessive Start menu traversing.

6. Avoid automatically launching background applications at user logon.
Although it is possible to add programs to the startup group or Run key
during installation, it adds overhead to the system. Over time, the
performance of the user's computer can significantly degrade. If your
application can benefit from a background task, allow it to be
user-configurable. Also, adding a startup task with the HLKM run key may
prevent a standard user account from modifying the behavior in the future.
If the user wants an application to launch at logon, store the information
in the run key of HKEY_CURRENT_USER.

7. Follow clean removal logic. A user might remove an application not only
to free up disk space, but also to return the computer to its state prior to
the application being installed. The application's uninstall process should
correctly and fully remove the application. SetupBuilder defaults to the
following removal rules:

· All non-shared application files and folders.
· Shared application files whose reference count (refcount) reaches
zero.
· Registry entries, except for keys that might be shared by other
programs.
· All shortcuts from the Start menu that the application created at the
time of installation.
· User preferences may be considered user data and left behind, but an
option to do a completely clean removal should be included.
· The uninstaller itself.

8. Create and embed an application manifest with your application. In
Windows Vista, the correct way to mark your applications is to embed an
application manifest within your program that tells the operating system
what the application needs. In the Windows Vista release, there are
provisions to allow non-manifested or unsigned code to run with a full
administrative access token. Note that in future releases, the ONLY way to
run an application elevated will be to have a signed application manifest
that identifies the privilege level that the application needs.
SetupBuilder® provides the capability to automatically embed an XML
application manifest file within the resource section of a Portable
Executable (PE) image.

9. Authenticode Sign your application. Your application should now contain
an application manifest, which will be detected when the application
launches. The executable can, however, be tampered with. To prevent this,
you should sign the application with an Authenticode signature. You will
need a commercial certificate if you wish your application to be trusted on
the target computer of a customer installing your application. SetupBuilder®
lets you add an Authenticode® digital signature to an application file. If
you want your application to operate correctly in locked-down environments,
it should be signed with an Authenticode signature.

To sum it up, SetupBuilder can help you to achieve all of the above (and
more). With SetupBuilder 6.0 Developer Edition, you can automatically:

1. Embed a Vista-aware manifest into your (Clarion) application to specify
the minimum execution level required by your application for running on
Windows Vista platforms.

2. Add an Authenticode digital signature to your application file(s).

3. Create a native Vista-aware installer that runs on all Windows platforms.

BTW, with SetupBuilder 6.0 we were able to classify our own SetupBuilder 6
IDE as Mixed User Application - it can run as a Standard User or
Administrator on Vista!

Please let me know if you have any questions.

Friedrich

Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

WOW, Thanks that is a bunch of stuff to get in order..... You mentioned a
few things I was not clear on.
1. Versioned files. Is this an internal version number compiled into the
app or something added to the installation?
2. Do not downgrade files during installation? Lost me here
3. Authenticode Sign your application? Not sure what this is or where I
would look for information.
4. I take it you are saying Install all apps into the Program Files\Your
Program directory and have the Data reside in Documents and Settings\User
Name\Application Data\Your Program\Data. Is that right? What if you wanted
(needed) to make the data available to any user?
5. Application manifest. What makes up a manifest, a list of all included
exe's, dll's icons, ini's, images etc?
6. You mention Standard User and Administrator access, is this established
by the developer and communicated to the OS by the installation? I just
have a simple program for home user use this seems to be ado about
nothing..... What kind of considerations need to go into application
security?

Thanks for your help, like I said before I have been out of the loop and am
really clueless about Vista and its requirements.

Bob Healy

As far as the "what's this Authenticode" part, I recently wrote a couple of
articles for clarionmag:
http://www.clarionmag.com/cmag/v8/v8n10signing1.html

Jane Fleming

Bob,

> WOW, Thanks that is a bunch of stuff to get in order..... You mentioned a
> few things I was not clear on.
> 1. Versioned files. Is this an internal version number compiled into the
> app or something added to the installation?

You should add a version info resource into your own application files
(.exe's, dll's) so the installer can decide whether or not to replace
existing files. I think Clarion or a freeware template can do this for you.

>
> 2. Do not downgrade files during installation? Lost me here
>

For example, a version 1.0.0.0 file should never replace a file with
version 1.0.0.1 The SB6 installer can do this for you. Of course, you
can still replace 1.0.0.1 files with 1.0.0.0 files if you have to.

> 3. Authenticode Sign your application? Not sure what this is or where I
> would look for information.

What you need is a code signing-certificate. We are using a Comodo
certificate (works without any problem on XP, Vista, etc.).

Here is the direct link ($179 for two years, $99 for one):
http://www.instantssl.com/code-signing/code-signing.html?currency=USD&region=North%20America&country=US

The SetupBuilder 6 compiler can then use this certificate to do all the
dirty work for you (code-sign all your application files on-the-fly and
the installer itself).

Without a code-signing certificate you are completely lost on Vista.

> 4. I take it you are saying Install all apps into the Program Files\Your
> Program directory and have the Data reside in Documents and Settings\User
> Name\Application Data\Your Program\Data. Is that right? What if you
> wanted (needed) to make the data available to any user?

What you can do is to install it to the CommonAppDataFolder. You can also
create your own folder (e.g. c:\mydata)

> 5. Application manifest. What makes up a manifest, a list of all included
> exe's, dll's icons, ini's, images etc?

An Application Manifest will identify an application to Windows Vista and
allow administrators to define the application's desired security
credentials.

For example, in Clarion 6.3 you can embed a manifest to provide XP theme
support. But this does not help under Vista. SetupBuilder 6 can
automatically build and embed a Vista-aware manifest on-the-fly for you
to request the required execution level (and to provide XP/Vista theme
support).

> 6. You mention Standard User and Administrator access, is this established
> by the developer and communicated to the OS by the installation? I just
> have a simple program for home user use this seems to be ado about
> nothing..... What kind of considerations need to go into application
> security?

Under Windows XP, most users normally live in Administrator login mode.
This will completely change under Vista. The new Windows Vista UAC mode
allows you to login as a Standard User, but still perform admin tasks.

Most installations in XP need to run in administration mode. But now under
Vista, Microsoft recommend to do *everything*, including install software,
under Standard User logon (of course, with UAC enabled). Microsoft
recommend that all executables which need access to protected areas of
Windows (e.g. installation programs) should be marked as
requireAdministrator. SetupBuilder 6.0 can compile installation (and
modify your applications) with embedded manifest files that mark for
elevated execution.

You have to make sure you app works in Admin and Standard user mode!!

> Thanks for your help, like I said before I have been out of the loop and
> am really clueless about Vista and its requirements.

You are welcome. If there are more questions, just ask.

Friedrich

Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes

Bob,

And of course, read Jane's fantastic "Signing Your Applications, Part 1"
article in the October issue of ClarionMag:
http://www.clarionmag.com:80/cmag/v8/v8n10signing1.html

Friedrich

Thanks

Bob Healy

Thanks again and kudos to Jane

Bob Healy

One more.... How much will it cost to go from where I am to where I need to
be with SetupBuilder?

Bob Healy

Bob,

You can crossgrade to SetupBuilder 6.0 (including a 1-year subscription to
receive all updates free of charges) for $299.00.

http://store.esellerate.net/s.asp?s=STR9044399608&Cmd=BUY&SKURefnum=SKU8330729719

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6
Create Windows Vista ready installations in minutes