While I do not have a full knowledge of the signing model Burn is using I would expect that your final bootstrapper supposed to be built when your included MSIs are fully signed. Thus I think your suspicion is most likely correct.
Wix# doesn't do much about signing. I only provided an external task isolated wrapper ('Signing' sample) for the sign tool. And this wrapper isn't particularly comprehensive as it is nothing else but a command line builder for invoking 'signtool.exe' :
As you can see signing is completely outside of building MSI with Wix# and it can be triggered at any time after Wix# is done with authoring the MSI file. Thus updating the hash using Wix# may be as simple as executing Tasks.DigitalySign again.
Though your options #2 seems to me the most logical as it is consistent with Wix# breaking authoring in four fully decoupled stages:
If you end up using Wix# signing keep in mind that you can pass the location of the 'signtool.exe' to the Tasks.DigitalySign as the last optional param
Good luck
Wix# doesn't do much about signing. I only provided an external task isolated wrapper ('Signing' sample) for the sign tool. And this wrapper isn't particularly comprehensive as it is nothing else but a command line builder for invoking 'signtool.exe' :
int exitCode = Tasks.DigitalySign(msi_file, "wixsharp.pfx", "http://timestamp.verisign.com/scripts/timstamp.dll", "my_password");
Though your options #2 seems to me the most logical as it is consistent with Wix# breaking authoring in four fully decoupled stages:
- Build MSIs
- Sign MSIs (optional)
- Build Bootstrapper
-
Sign Bootstrapper (optional)
If you end up using Wix# signing keep in mind that you can pass the location of the 'signtool.exe' to the Tasks.DigitalySign as the last optional param
wellKnownLocations. You may even get away with the network location of the signtool providing your build machine policies allows network executables to be run.Good luck