Update without elevation and Certificate issue

[Diego CG]

Hi,

When updating via Updater, the setup requires administrator credentials to run.
We need the installation to take place without the intervention of an administrator.

With the new release we have changed the certificate, we believe this triggers the request for administrator credentials.

In the Updater configuration parameters the last tick is not active but seems to be disregarded.

The version of Advanced Installer we are using is 15.7.

The situation with our certificates is as follows
On the installed applications, certificate "A" expired in 2020.


Using certificate "B" during the update the setup is visible. In addition, administrator credentials are required to proceed.


We requested a new certificate "C" asking to use the same Subject as certificate "A".


In spite of the request, the certificate "C" we received has Subject differences with "A" and the same problem as the previous one.


Also with the new certificates(B and C) also the certificate chain is different.



To summarise:
What makes two certificates the same?
Even if we obtain a certificate with the same Subject but a different chain, will the request for administrator credentials occur again?

Is there anything we can do to prevent the request for administrator credentials during installation regardless of the certificate?

Tank you,
Kind regards,
Diego.

[Diego CG]

Hi,

is there any news on which parts of the certificates are being compared?

kind regards,
Diego.

[Catalin]

Hello Diego and welcome to our forums,

I am not quite sure this is related to the fact that your certificate has changed.

In "Install Parameters" page, could you please let me know what the installation type is?

For instance, if the installation type is "Per-machine only, fails if user is not administrator", then it is normal for the updater to require administrator privileges.

If you want to handle the updates without elevation, please have a look over our "How to handle updates without elevation" article.

Best regards,
Catalin

[Diego CG]

Dear Catalin,

Thank you for your answer, i can confirm that we already use the "Support Service" and the parameter "install update without elevation".
You guessed correctly, in Install "Parameters Page" we use "Per-machine only, fails if user is not administrator".
It is a requirment for most of our software.

Last year we already made several releases without this problem before changing the certificate

For example, given a setup 1.4.5 with the new certificate we updated an installation 1.4.0 with the old certificate.
In the same way, with the same setup 1.5.0 we updated a new installation 1.4.5 with the new certificate.

This was always done using the "Support Service" and the parameter "install update without elevation".
Only in the first case does the Setup launched by the updater seem to ignore the parameters in the updater.txt and ask for elevation.


From what we have been able to observe, we can see that the "Install only digitally signed update...." parameter does not seem to work.

As far as possible ways to proceed, I think we still need to understand whether a certificate with the same subject but a different chain is considered equivalent.

I hope you can help us.

If further information is required, I am at your disposal.

Thank you,
kind regars,
Diego.

[Catalin]

Hello Diego,

Thank you for your followup on this.

It looks like I have misunderstood your first thread - I thought you were not using the "Support Service". Please accept my apologies for that.

Regarding the issue you are facing, this is indeed strange. Normally, to answer your questions:

As far as possible ways to proceed, I think we still need to understand whether a certificate with the same subject but a different chain is considered equivalent.

+

Even if we obtain a certificate with the same Subject but a different chain, will the request for administrator credentials occur again?

The answer should be yes, if you had the "Install only digitally signed update packages signed with the same certificate as the Updater". As per our "How to install only digitally signed update packages":

The Subject field of the certificate used to digitally sign "Updater.exe" must match the Subject field of the certificate used to sign the update packages that will be installed subsequently (e.g. .MSIs, .EXEs, etc.).

In order for me to further investigate this, could you please forward me the following resources:

- the project file (.AIP) for the older project + a download link for its' setup

- the project file (.AIP) for the newer project + a download link for its' setup

- the Updates Configuration Project

by e-mail at support at advancedinstaller dot com?

Best regards,
Catalin

[Catalin]

Hello Diego,

Thank you very much for the provided resources.

I have done some tests and I was indeed able to replicate the described behavior.

The encountered issue is indeed related with the fact that your certificates have different subjects (I was not so sure about this at first but I double checked with our development team).

Regarding the fact that you do not have the "Install only digitally signed update packages signed with the same certificate as the Updater" and this happening, please note that it is the normal behavior.

If we have a look over the "How to handle updates without elevation" article:

You can notice the note at the end of the article:

If the Updater is digitally signed then all update packages must be signed using the same certificate, this is the recommended approach.

Regarding your last question from the last thread:

As far as possible ways to proceed, I think we still need to understand whether a certificate with the same subject but a different chain is considered equivalent

The answer is yes - we only check for the "Subject" of the certificate.


Best regards,
Catalin

[Diego CG]

Dear Catalin,

thanks for clarifying how the certificate comparison works.

After many attempts we managed to get our supplier to create the certificate with the same subject.
With the correct certificate we were able to carry out the updates without any problems.

Thank you for your support.

Kind regards,
Diego.

[Catalin]

Hello Diego,

Thank you for your followup on this!

I am really glad to hear you managed to overcome this.

You are always welcome - always my pleasure to assist.

Best regards,
Catalin