fix(msi): use WixQuietExec from WixToolset.Util.wixext

WiX 4 has a documented bug (wixtoolset discussion #9143) where [CustomActionData]
is silently stripped from ExeCommand at compile time, leaving deferred CAs
with no command line. The bare Property attribute is also invalid — WiX
requires one of DllEntry/ExeCommand/Value/etc.

The WiX-blessed pattern for this exact use case (run an exe with property-
substituted args from a deferred CA) is WixQuietExec from the Util extension.
It's a DLL custom action that reads its command line from the property whose
Id matches the CA Id, which is auto-populated as CustomActionData by MSI.

Adds the util: namespace to Product.wxs, wires the Util extension install
into CI (workflow + Makefile), uses Wix4UtilCA_$(sys.BUILDARCHSHORT) so the
binary auto-selects per arch.

Author: swarit-stepsecurity

.github/workflows/release.yml

@@ -208,15 +208,16 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install WiX 4
-        # WiX 4 ships as a .NET global tool. windows-latest has the .NET SDK
-        # preinstalled, so this resolves quickly. We pin to a known-working
-        # version. Linux/macOS hosts have WiX 4 issues with Directory/@Name
-        # path validation — we always build the MSI on Windows.
+      - name: Install WiX 4 + Util extension
+        # WiX 4 ships as a .NET global tool. The Util extension (WixQuietExec
+        # and friends) is a separate NuGet package that must be added to the
+        # global wix tool before referencing util: namespace types.
         shell: pwsh
         run: |
           dotnet tool install --global wix --version 4.0.5
           wix --version
+          wix extension add --global WixToolset.Util.wixext/4.0.5
+          wix extension list --global
 
       - name: Download Windows .exe assets from draft release
         env:
@@ -248,13 +249,15 @@ jobs:
 
           wix build packaging/windows/Product.wxs `
             -arch x64 `
+            -ext WixToolset.Util.wixext `
             -d Arch=x64 `
             -d "Version=$version" `
             -d "BinaryPath=$($amd64.FullName)" `
             -out "dist/stepsecurity-dev-machine-guard-$version-x64.msi"
 
           wix build packaging/windows/Product.wxs `
             -arch arm64 `
+            -ext WixToolset.Util.wixext `
             -d Arch=arm64 `
             -d "Version=$version" `
             -d "BinaryPath=$($arm64.FullName)" `

Makefile

@@ -29,17 +29,21 @@ build-linux:
 # with whatever the binary reports as `--version`.
 build-msi-amd64: build-windows
 	mkdir -p dist
+	wix extension add --global WixToolset.Util.wixext/4.0.5 || true
 	wix build packaging/windows/Product.wxs \
 		-arch x64 \
+		-ext WixToolset.Util.wixext \
 		-d Arch=x64 \
 		-d Version=$(VERSION) \
 		-d BinaryPath=$(CURDIR)/$(BINARY).exe \
 		-out dist/stepsecurity-dev-machine-guard-$(VERSION)-x64.msi
 
 build-msi-arm64: build-windows-arm64
 	mkdir -p dist
+	wix extension add --global WixToolset.Util.wixext/4.0.5 || true
 	wix build packaging/windows/Product.wxs \
 		-arch arm64 \
+		-ext WixToolset.Util.wixext \
 		-d Arch=arm64 \
 		-d Version=$(VERSION) \
 		-d BinaryPath=$(CURDIR)/$(BINARY)-arm64.exe \

internal/buildinfo/version.go

@@ -3,7 +3,7 @@ package buildinfo
 import "fmt"
 
 const (
-	Version  = "1.11.2-msi-test5"
+	Version  = "1.11.2-msi-test6"
 	AgentURL = "https://github.com/step-security/dev-machine-guard"
 )
 

packaging/windows/Product.wxs

@@ -14,7 +14,8 @@
   msiexec — powershell.exe is never spawned anywhere in install/upgrade/
   uninstall flows.
 -->
-<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
+     xmlns:util="http://wixtoolset.org/schemas/v4/wxs/util">
 
   <?if $(var.Arch) = "x64" ?>
     <?define UpgradeCode = "65AE0FC0-2070-4F40-B0CA-413637F94121" ?>
@@ -99,35 +100,43 @@
       ================================================================
     -->
 
-    <!-- Use the Property-attribute pattern (MSI Type 50: exe-from-property).
-         Discovered the hard way that WiX 4 silently strips [CustomActionData]
-         tokens out of ExeCommand at compile time, so Directory+ExeCommand
-         CAs end up with empty (or args-less) Target columns. The Property
-         pattern bypasses ExeCommand entirely: MSI reads the FULL command
-         line (path + args) directly from a property whose name matches the
-         CA's Id, which gets auto-populated as CustomActionData for the
-         deferred execution. -->
+    <!-- Use WixQuietExec from WixToolset.Util.wixext. This is the WiX-blessed
+         pattern for running an exe with property-substituted args from a
+         deferred custom action. WiX 4 has a known bug where [CustomActionData]
+         in ExeCommand is silently stripped at compile time
+         (https://github.com/orgs/wixtoolset/discussions/9143), and the bare
+         Property attribute is invalid without ExeCommand. WixQuietExec is a
+         DLL CA that reads its command line from a property whose Id matches
+         the CA Id — solving the relay problem cleanly.
+
+         BinaryRef "Wix4UtilCA_$(sys.BUILDARCHSHORT)" auto-selects the right
+         arch (X64 for our x64 MSI, A64 for arm64).
+         DllEntry "WixQuietExec64" runs in 64-bit context. -->
 
     <CustomAction Id="RunConfigureInline"
-                  Property="RunConfigureInline"
+                  BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)"
+                  DllEntry="WixQuietExec64"
                   Execute="deferred"
                   Impersonate="no"
                   Return="check"/>
 
     <CustomAction Id="RunConfigureFromFile"
-                  Property="RunConfigureFromFile"
+                  BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)"
+                  DllEntry="WixQuietExec64"
                   Execute="deferred"
                   Impersonate="no"
                   Return="check"/>
 
     <CustomAction Id="RunInstallScheduledTask"
-                  Property="RunInstallScheduledTask"
+                  BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)"
+                  DllEntry="WixQuietExec64"
                   Execute="deferred"
                   Impersonate="no"
                   Return="check"/>
 
     <CustomAction Id="RunUninstallScheduledTask"
-                  Property="RunUninstallScheduledTask"
+                  BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)"
+                  DllEntry="WixQuietExec64"
                   Execute="deferred"
                   Impersonate="no"
                   Return="ignore"/>