How to install only digitally signed update packages

This functionality secures the communication channel between the updater and the web server where the updates are stored.

First you need to enable the Install only digital signed update packages signed with the same certificate as the Updater option from the Updater Page. For the option to work you must follow these rules:

  1. "Updater.exe" file must be digitally signed.
  2. The Subject field of the certificate used to digitally sign "Updater.exe" must match the Subject field of the certificate used to sign the update packages that will be installed subsequently (e.g. .MSIs, .EXEs, etc.).
  3. The update packages must be signed with a certificate issued by a trusted digital certificate authority and must be trusted on the computer where the updates are installed.

Migrating to a new certificate

If migrating to a new certificate that has a changed Subject field and want to keep the updater - web server channel security, you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate.

After doing this, all subsequent update packages can be signed using the new certificate.

Dual signing

Starting with January 1st, 2016 the Microsoft's directive which enforces SHA256 certificates kicked in.

If you double sign your update package, outside of Advanced Installer, you must make sure you are using the same certificate.