This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: Digital Certificate Renewal
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jun 09, 2008
09:36 PM
Digital Certificate Renewal
Hi,
Our software has been running smoothly with updates and non-administrator patches for the past one year.
My digital certificate has expired and my next patch would be including the new digital certificate.
My main worry is that, does this mean that if I include this new certificate in my next patch, the non-administrator patch is not going to work? In that case should I be releasing the installation package completely with the new certificate? That would be a night mare as there is no point with the automatic update system then.
Any thoughts on this at the earliest is most appreciated.
regards
Kumaran
Our software has been running smoothly with updates and non-administrator patches for the past one year.
My digital certificate has expired and my next patch would be including the new digital certificate.
My main worry is that, does this mean that if I include this new certificate in my next patch, the non-administrator patch is not going to work? In that case should I be releasing the installation package completely with the new certificate? That would be a night mare as there is no point with the automatic update system then.
Any thoughts on this at the earliest is most appreciated.
regards
Kumaran
(4) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jun 10, 2008
02:17 PM
I don't have much helpful information for you here, as I'm not sure if Windows Installer will identify (and accept) an updated certificate, or if it requires a raw match. That said, you can specify multiple certificates via multiple rows in the MsiPatchCertificate table (our help covers how to add them), so if you wish to use an alternate certificate for your patches which won't expire (but will also not be accepted outside this scenario), you could probably specify and use a test certificate with a much later expiration date.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jun 10, 2008
11:05 PM
Thanks Michael.
Sorry, I did not get understand the point to included a certificate that does not expire? what does this mean? I thought the whole idea of non-administrator patch was based on strict criteria with a valid digital certificate.
regards
Kumaran
Sorry, I did not get understand the point to included a certificate that does not expire? what does this mean? I thought the whole idea of non-administrator patch was based on strict criteria with a valid digital certificate.
regards
Kumaran
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jun 11, 2008
10:16 AM
As far as I understand it, the certificate used in various ways linked from the MsiDigitalCertificate table (this includes the MsiPatchCertificate use) only need to be cryptographically valid. Instead of using the usual root authority trust chains, it uses the fact the exact certificate was listed in the base package to form an immediate trust for the certificate. As such, even a test certificate can be used for this purpose. However it would mean that looking at the certificate on the MSP or update.exe would show an invalid (test) certificate.
So in short it would be a hack. It would probably provide the UAC-patching behavior you asked for (test first), but would not provide the standard signature verification behavior you probably also want.
So in short it would be a hack. It would probably provide the UAC-patching behavior you asked for (test first), but would not provide the standard signature verification behavior you probably also want.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jun 11, 2008
06:36 PM
Michael,
I will have to check on the test certificate as I can remember that the Non-admin patch never worked for me until i got the Update.exe signed and timestamped.
Kumaran
I will have to check on the test certificate as I can remember that the Non-admin patch never worked for me until i got the Update.exe signed and timestamped.
Kumaran