WiX heat.exe tool FIPS Compliance

Question

Let me establish some background context first. I've done everything I can do to disable fips on my system. If it's still enabled then it's so deep that not even my sysadmin here can get it out with his credentials.

Also, I've added: to every msbuild.exe.config that I can find on my system.

That being said I'm getting the dreaded:

Exception Type: System.InvalidOperationException

Stack Trace:
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   at Microsoft.Tools.WindowsInstallerXml.Common.GenerateIdentifier(String prefix, Boolean fipsCompliant, String[] args)
   at Microsoft.Tools.WindowsInstallerXml.Extensions.DirectoryHarvester.HarvestDirectory(String path, String relativePath, Boolean harvestChildren)
   at Microsoft.Tools.WindowsInstallerXml.Extensions.DirectoryHarvester.Harvest(String argument)
   at Microsoft.Tools.WindowsInstallerXml.Harvester.Harvest(String argument)
   at Microsoft.Tools.WindowsInstallerXml.Tools.Heat.Run(String[] args)

Drilling down into the code I've found that the class and method:

Microsoft.Tools.WindowsInstallerXml.Common.GenerateIdentifier

Source for above class on github

has a argument that will switch to a fips compatible algorithm. The problem is, I can't seem to figure out how to get that value through heat.exe and into it. I've tried a number of command line configurations but none seem to work.

I'm not a primary .NET developer, so it's possible missing something really obvious.

Answer 1

Heat.exe doesn't support FIPS-compliant ids; it always uses MD5. It's a reasonable feature request, however, if you want to file one at http://wixtoolset.org/issues/.

Answer 2

This was fixed with a recent PR https://github.com/wixtoolset/wix3/pull/540

To use it you need to add the -fips flag to your heat.exe command line calls.

As of today it's not available in the official release but you can get it by using the development build. It only took 8 years to fix.

https://wixtoolset.org/releases/development/