mpande
Posts: 64
Joined: Tue Sep 28, 2021 1:52 pm

Expired Certificate causing issues with automatic upgrades

Tue Oct 05, 2021 7:09 pm

Hi! We are using the professional version of Advanced Installer.

Our original installer was programmed with Enable signing checked, using a file from disk, signed only for modern operating systems. On the Updater page we had "Install only digitally signed update packages signed with the same certificate as the Updater" checked.

The certificate used for the original installer has since expired. We have an updated certificate which is using the same subject line as the original certificate, which we've used to sign an upgrade file. When the updater runs it reports "Error: Update installation was blocked, digital signature mismatch. Please contact technical support."

It seems like we should have signed an update package with the old certificate before it expired. That wasn't done, and can't be done now that the old certificate has expired.

Is there a way to resolve this issue so that upgrades can take place without manual interaction at each of the sites that used the original installer?

Liviu
Posts: 1034
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Expired Certificate causing issues with automatic upgrades

Wed Oct 06, 2021 9:13 am

Hello,

Since the "Install only digital signed update packages signed with the same certificate as the Updater" option is enabled, the encountered behavior is correct.

In this case, some mandatory rules that need to be kept must be followed. For details, please check the Installing only digitally signed updates article.

Note that you do not need to sign an update package with the old certificate. You will only need to sign an update package with the old certificate if the Subject field is changed.
We have an updated certificate which is using the same subject line as the original certificate,
Since your Subject is the same, I'm not sure but the problem you encounter may happen if the hash algorithm was changed or the certificate is changed from another Company.

This issue was debated in the Digital Signature Mismatch... thread.

Hope this helps!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

wholt@nabancard.com
Posts: 9
Joined: Mon Feb 01, 2021 11:15 pm

Re: Expired Certificate causing issues with automatic upgrades

Thu Oct 07, 2021 5:41 pm

Hello, I work with Max. I'll add some context: We have a 3 different products all installed with the AI all running the updater, all signed with a signing cert that used to be valid but has since expired. The newly purchased and issued signing cert has the SAME CN and O in the subject, but given the address in the subject was using a subsidiary office location, when we (and by we I mean I) renewed the cert with the root cert authority, it had to be in line with legal registrations for our org. This led to the new cert having a different L,S,C entries and removal of the STREET and PostalCode entries. So, while I can appreciate the need to keep us protected, it should be against the CN and O and NOT the entire Subject content in general. This cannot be the first time an install was done using one cert, a business moves, then new cert, etc.

BTW, it would make no sense using the old signing cert to sign the new installer with because A. its expired B. It would be just kicking the can down the road to the next upgrade, and making the signing worthless since its expired to begin C. should NOT be possible to sign anything with an invalid cert

How do we resolve this? Manually connecting to 100's of sites is just not feasible in order to upgrade and continually upgrade. Can we autoupdate with a patch that disables, then push the real update out with the corrected signing? I love AI thus far, but the upgrader was a huge reason I decided to make the purchase (and forum support is good too).

What's preventing the upgrade? the preexisting upgrader already installed, the new installer trying to be upgraded?

Liviu
Posts: 1034
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Expired Certificate causing issues with automatic upgrades

Fri Oct 08, 2021 12:09 pm

Hello,

The only solution when the new certificate has a changed Subject is to migrate to the new certificate when the old one is still active, as explained in our article.
BTW, it would make no sense using the old signing cert to sign the new installer with because
To change to a new certificate that has a changed Subject field and want to keep the updater - web server channel security, you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate. This is explained in our How to install only digitally signed update packages
article.

After doing this, all subsequent update packages can be signed using the new certificate.

Since your Subject has changed, your only solution would be obtaining a new certificate that has the same "Subject" as the older one. We only check for the "Subject" of the certificate. Maybe you can try to ask your supplier to create the certificate with the same subject.

Please have a look over the following forum threads where a similar problem is discussed:
1. Certificate expired -> Update is no longer silent + triggers antivirus threat
2. Update without elevation and Certificate issue

Hope this helps!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

wholt@nabancard.com
Posts: 9
Joined: Mon Feb 01, 2021 11:15 pm

Re: Expired Certificate causing issues with automatic upgrades

Fri Oct 08, 2021 5:26 pm

I am still unclear as to why you are arbitrarily choosing to compare the entirety of the subject data and NOT just the O = Organization Name and maybe additionally the CN = CommonName; all other data is subject to regulations, the cert issuer, and even location. Every one of the links you pointed to just exacerbates that point. One person mentions serial #, another mentions regional info removal for regulatory purposes, etc. Then your only solution is for us to go back to the cert store and pay hundreds of dollars for a new certificate if that's even possible. Given that ALL signing certificates are based upon Company validation, and our company no longer has an office at the old data in the old cert, its not only not possible, it would be inaccurate to use invalid data JUST to make your software work.

You have provided no solution but: see, we bullied others in to capitulating to the inadequacies of our software design, pound sand and use something else or just except we wont change a thing. If that is the case, I will not be renewing any subscriptions to AI.

Liviu
Posts: 1034
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: Expired Certificate causing issues with automatic upgrades

Mon Oct 11, 2021 11:40 am

Hello,

Unfortunately, this is our default implementation. We look over the entire Subject, because in this way the Subject is unique. If we look only at the CN (Common Name), there can be multiple certificates with different Subjects but the same CN. CN is not unique.

However, I have added this on our TODO list. We are investigating this and hopefully an improvement will be available in a future version of Advanced Installer.

I'm sorry for the inconvenience.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”