Digital Signature Mismatch...

[Lee Jae-cheol]

Hello.

We have released our product using Advanced Installer. It worked well until last year.

In this year, the digital signature we purchased is expired. thus we purchased new digital signature and applied our product and Advanced Installer.

After that, the update is disable.. I saw the error message "Update installation was blocked, digital signature mismatch or untrusted publisher. Please contact technical support."

Because the signature was changed, It seems to not be abnormal.

I wonder to apply other digital signature to current update service.

Please help me.

Thank you.

[Dan]

Hello,

Since the Install only digital signed update packages signed with the same certificate as the Updater option is enabled, the encountered behaviour is correct.

In this case, some mandatory rules that need to be kept must be followed. For details, please check the Installing only digitally signed updates article.

Let me know if you need any help.

Best regards,
Dan

[Lee Jae-cheol]

Thank you, Dan.

I already have looked at the post you informed.

But I can't understand the explanation 'you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate.'

Can you explain more detaily? And I don't know the 'Subject field' means.

Please help me.. thank you.

[tjwlsdkzzz]

"you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate."

I tried to sign an update package with the old certificate but we failed because the certification is expired.

You can see below picture........




Now, my certificate is expired, so I try to change new certificate with different Subject field certificate.

And I can create an update package with the old certificate.

Please help me...............

[Dan]

Hello,

Please note that you need to follow these steps:
First you need to enable the Install only digital signed update packages signed with the same certificate as the Updater option from the Updater Page. For the option to work you must follow these rules:

• "Updater.exe" file must be digitally signed.
• The Subject field of the certificate used to digitally sign "Updater.exe" must match the Subject field of the certificate used to sign the update packages that will be installed subsequently (e.g. .MSIs, .EXEs, etc.).
• The update packages must be signed with a certificate issued by a trusted digital certificate authority and must be trusted on the computer where the updates are installed.

If migrating to a new certificate that has a changed Subject field and want to keep the updater - web server channel security, you need to sign an update package with the old certificate and inside that package have the "Updater.exe" signed with the new certificate.

Note that you do not need to sign an update package with the old certificate. You will only need to sign an update package with the old certificate if the Subject field is changed. I assume this is not your case.

Best regards,
Dan

[Lee Jae-cheol]

Thank you for kind your answer, Dan.

I guess, I found the cause. When we change old digital signature to new digital signature, the hash algorithm was changed(SHA1 -> SHA256).
Because we bought new digital signature from other company, the Certificate is changed, too.
I think if the Certificate was same, It would work well although the hash algorithm is changed.

I wonder that my thinking is correct, Dan.
Thank you.

[Dan]

You're welcome,

My hunch is that it should work, but I'm not sure.

Best regards,
Dan