locked
Certificate renewal for least-privilege user account patching RRS feed

  • Question

  • I have a question regarding certificate renewal for a windows installer patch file (msp file). Apologies if this is not quite the right forum, but it is the closest I could find in the absence of a Windows Installer forum. Please let me know the name of an alternative forum if you know of a more approprate one for this post.

    Anyway, to the point...

    We have been successfully signing a patch family of installers and patches for over a year to allow least-privilege user account (LUA) patching, but have encountered a problem after the certificate expired. Patching with the renewed certificate failed and investigation showed that the public key of the new certificate was different from the public key of the expired certificate. The rules of windows installer say that LUA patching works only when the certificate used to sign the MSI file is the same as the certificate that signs the patch (MSP) file.

    After some research we generated a Certificate Signing Request from the expired certificate and were able to rekey a new Go Daddy certificate that has the same public and private keys as the old certificate. In fact the new certificate is identical to the old certificate in every way except: the expiry date is in the future (which is of course essential), the "valid from" dates differ (unavoidably), the thumbprint is different (which we'd expect as the valid from and to dates are different), the serial number is different (presumably this does not affect the identity of the certificate) and, apparently crucially, the new certificate is 514 bytes smaller than the expired certificate.

    The public key, private key and subject (i.e. the identity) of the new and old certificates are identical and we think that Windows Installer should therefore be able to accept that the MSP file is signed with the same certificate as MSI file.

    Unfortunately, Windows Installer produces the following error when the Patch is run as a non-admin user.
    Certificate of signed file 'C:\DOCUME~1\TestUser\LOCALS~1\Temp\12b4dc3e.msp' differs in size with the certificate authored in the package.

    We do not understand why the size of the certificate is relevant. The identity and keys of the expired and new certificates are the same.

    Please can someone let us know how to sign a Windows Installer Patch file (MSP file) with a new certificate once the certificate that signed the original MSI file has expired ?

    Thanks, Alastair

     

     

    Thursday, December 2, 2010 1:05 PM

All replies