We have been signing our product's msi and msp files for a year now so that non admin users can apply patches and this has worked well. However after renewing the expired digital certificate, patches fail with the error "The system administrator has set policies to prevent this installation" when run by a non admin user, though the patch works fine when run by an admin.
When run by a non admin user, the patch's log file has the following entries:
Machine policy value 'DisablePatch' is 0
Machine policy value 'AllowLockdownPatch' is 0
Machine policy value 'DisableMsi' is 0
Machine policy value 'AlwaysInstallElevated' is 0
User policy value 'AlwaysInstallElevated' is 0
Product {6DD3EAAF-0320-46E0-815D-386226C1465D} is admin assigned: LocalSystem owns the publish key.
Product {6DD3EAAF-0320-46E0-815D-386226C1465D} is managed.
Running product '{6DD3EAAF-0320-46E0-815D-386226C1465D}' with elevated privileges: Product is assigned.
MSI (c) (CC:44) [08:48:08:449]: Machine policy value 'DisableLUAPatching' is 0
MSI (c) (CC:44) [08:48:08:449]: Machine policy value 'DisableFlyWeightPatching' is 0
Validating digital signature of file 'C:\DOCUME~1\TestUser\LOCALS~1\Temp\1891e5d.msp'
Certificate of signed file 'C:\..\1891e5d.msp' differs in size with the certificate authored in the package. This installation is forbidden by system policy. Contact your system administrator.
We noticed that the public keys in the old and renewed certificates are different and also that the old and new certificates are indeed different sizes. I expected that since the certificate is valid and belongs to the same organisation that it would all "just work" but that seems to be a naive view! I also expected that the renewed certificate would have the same public and private keys but this expectation may be incorrect too.
Reading around the problem, one suggestion is to create a patch which has the sole purpose of adding a new certificate to the MsiDigitalCertificate table and a new entry to MsiPatchCertificate table that points to the new certificate. Unfortunately, this procedure will only work for non admin users if the certificate to be upgraded has not expired yet which is no longer the case for us, meaning that this option is a last resort for us.
We are also asking our Certificate supplier (Go Daddy) to renew the certificate with the same public key, though we are still waiting for a response on that.
I'd be grateful if you would respond to the following:-
- Should a renewed certificate for patching have the same public and private keys as the expired certificate ?
- What is the recommended procedure for managing the renewal of certificates for patching once a certificate has expired ?
- What is the best practice for renewal of certificates for patching ?
Alastair