How to install only digitally signed update packages

This functionality secures the communication channel between the updater and the web server where the updates are stored.

First you need to enable the Install only digital signed update packages signed with the same certificate as the Updater option from the Updater Page. For the option to work you must follow these rules:

  1. "Updater.exe" file must be digitally signed.
  2. The Subject field of the certificate used to digitally sign "Updater.exe" must match the Subject field of the certificate used to sign the update packages that will be installed subsequently (e.g. .MSIs, .EXEs, etc.).
  3. The update packages must be signed with a certificate issued by a trusted digital certificate authority and must be trusted on the computer where the updates are installed.

Migrating to a new certificate

If migrating to a new certificate that has a changed Subject field and want to keep the updater - web server channel security, you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate.

Follow the steps below:

  • Copy the "\stubs\x86\Updater.exe" file from the Advanced Installer installation folder to a different location and sign it with the new certificate
  • In the base version of your project (signed with the old certificate), create a new subfolder under the folder that contains the original "updater.exe" file
  • Set the "Install folder content into the parent folder" option for this new folder
  • Place the signed "Updater.exe" file in this folder
  • In order for the newly signed updater to overwrite the old updater, the Always overwrite existing file option should be checked for the newly signed updater.
  • Make sure the "Digitally sign the file" option is disabled for this "Updater.exe" file
  • Sign the new version of your product with the new certificate

After doing this, all subsequent update packages can be signed using the new certificate.

Dual signing

Starting with January 1st, 2016 the Microsoft's directive which enforces SHA256 certificates kicked in.

If you double sign your update package, outside of Advanced Installer, you must make sure you are using the same certificate.