Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Issue with certificate check

Thu Apr 19, 2018 9:57 am

Dear Advanced Installer Support Team,

Your Auto Updater service reported a problem for us about a certificate mismatch while we tried to install the latest version of our product. Indeed, we changed the digital signature of our package, the Subject part was also slightly changed.

After a short research we found your user guide about this topic:
https://www.advancedinstaller.com/user- ... dates.html

Our problem is the following: only the company name (CN) part of the Subject is a fixed value, but the rest (Location L, State S, Country C) parts will change several times in the future. Our digital signature provider will create the certificate file so the Subject string will be changing.

Our goals:
1. Due to security reasons we still would like to use your digital signature comparison feature (Updater -> Install only digitally signed ... checkbox).
2. We´d like to customize your feature somehow to check only the company name (CN) part of the Subject. That´s the bit which will stay the same for a longer term.

Unfortunately the idea written below "Migrating to a new certificate" section of your user guide is something we can´t really use, because many of our customers are just skipping some of our update packs - some of them are skipping 5-10 update packs (minor and major packages). So creating an "intermediate" version of our product and forcing all of our customers to install that version is not an option. The best would be if we could somehow customize your updater service and define which parts of the signature should be checked.

Thanks in advance for your answer!

Best regards,
Zsolt

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Issue with certificate check

Mon Apr 23, 2018 1:59 pm

Hello Zsolt,

I've forwarded your improvement request to our development team and as soon as they will have an answer I'll update this thread.

Thank you for your patience.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Issue with certificate check

Wed Sep 19, 2018 2:04 pm

Hello Zsolt,

Unfortunately our development team has declined your improvement request because as they said the company name is not guaranteed to be unique among all certificates.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: Issue with certificate check

Wed Sep 19, 2018 2:45 pm

Hello Daniel,

Thank you for your response. Our problem occurred due to an unexpected situation: at the time I opened the ticket, our certificate supplier changed the naming of the state from English to German, so basically the address part of the Subject was changing. You are right tough, the company name could also change at some point in time. How would your Auto Updater service still work in this case? We should somehow guarantee that our update packs can always be installed in the future, no matter how our certificate supplier changes the Subject. Is there anything else, you can use for comparing? Some field which is very unlikely to be changing?

Thanks in advance for your answer!

Best regards,
Zsolt

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Issue with certificate check

Mon Sep 24, 2018 9:43 am

Hello Zsolt,

If migrating to a new certificate that has a changed Subject field and want to keep the updater - web server channel security, you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate.

After doing this, all subsequent update packages can be signed using the new certificate.

Also, have a look on "Updating to a new certificate." forums thread which debates this scenario.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: Issue with certificate check

Tue Sep 25, 2018 1:13 pm

Hello Daniel,

We already knew about this possibility, but I see 2 problems with that:

1. This approach can be only applied if we know in advance, before we release an update pack, that certificate might change in the future. But our situation is different, our certification provider might change our certificate without notice.

2. You are asking us to create a kind of "intermediate" version of the product, which is a mixture of old and new certificate. Of course we can´t use intermediate version, because we can´t force our customers to install all of our update packs. It´s very likely a lot of them would skip our "intermediate" version. E.g. if we have U1, U2, …., U7 throughout a year, and we get a new certificate from our provider just before releasing U3, then what should be done? We can´t have U3 as intermediate version since some users might upgrade from U1 (old certificate) directly to U7 (new certificate).

I really hope you understand what I mean.

Best regards,
Zsolt

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Issue with certificate check

Fri Sep 28, 2018 11:04 am

Hello Zsolt,

I really understand your last iterated scenarios and I can confirm you there is no way we can pass over these limitations of our Updates certificate check support. There is nothing we can do for you to avoid the above issues.

The only solution is to release in a way or other an intermediate signed Updater file otherwise you should stop using our updates certificate check support.

Thank you for your understanding.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Zsolt Kollarits
Posts: 340
Joined: Fri May 29, 2015 10:36 am

Re: Issue with certificate check

Mon Oct 01, 2018 12:24 pm

Hi Daniel,

We really understand the limitations of your Updates certificate check support, and accept that there is nothing you can do. Anyway thank you for your help.

Best regards,
Zsolt

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Issue with certificate check

Tue Oct 02, 2018 8:57 am

You are always welcome Zsolt.

Thank you for your understanding.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”