Update WiX package dependency

[joeloff]

Description: Some customers have strict CI policies around Device Guard. Even though WiX binaries are signed with the .NET Foundation authenticode certificates, the root certificate may not be in the allow list. Some customers do not want to add custom exclusions or install additional certificates on their machines.

To mitigate this, we've dual signed the WiX binaries with the Microsoft 3rd Party App SHA2 authenticode certificate in addition to the .NET Foundation SHA2

Impact: Installers that rely on built-in custom actions from WiX as well as some binaries that ship in the standalone bundles.

Risk: Low

Release: 6.0 RC2

Notes: This has been on tactics' radar for the last two weeks and already agreed to do this for RC2 so we have time to react to any issues before GA.

We have both a nupkg and .zip available. See dotnet/installer#12078 for an example. Note that the package ID have changed. The version tracks both the internal build and the WiX release so we can better manage rebuilds of the package or taking new releases from WiX.

[dougbu]

@joeloff could you clarify where (which branches) and when (deadline) this issue should be addressed❔

Separately, I think this is more than an infrastructure change because the new WiX contains both additional signing of installers we ship to customers and @ericstj's ARM64 updates. If we need to do this in servicing, I lean toward ask-mode. Thoughts @dotnet/aspnet-build❔

[wtgodbe]

I'm fine with doing it through ask-mode - like @joeloff mentioned, this is on tactics' radar so they shouldn't have an issue with it

[joeloff]

No, it doesn't have Eric's changes in WiX yet. This is only a rebuild of WiX 3.14.0-dotnet that we've been using with additional authenticode certs. There will be a new WiX 3.14.x build and at that time, we'll take that and produce an updated version of Microsoft.Signed.Wix.

For now this is only for RC2. I'd hope to have the packages last week, but we had some CELA concerns to address, but I've been updating tactics twice a week for 2 weeks now, so they're expecting this.

Eventually we'll do 3.1 and 5.0

[dougbu]

For now this is only for RC2.

So, this is really really urgent for realz. Right❔

[joeloff]

For now this is only for RC2.

So, this is really really urgent for realz. Right❔

For realz. This is blocking some customers from installing .NET I can share more details offline

[dougbu]

Taking…

[dougbu]

Created #36865. Please see my questions there.

That PR will automatically merge forward into 'release/6.0'. But, should I do the same thing in 'main'❔

[joeloff]

I think once we've have a coherent build to evaluate fully and RC2 is out we can move on main.

[dougbu]

a96feda though I forgot to fix the link to this issue in the commit description ☹️