locked
Cannot update Silverlight client following code sign cert renewal RRS feed

  • Question

  • My certificate for code signing has expired so we've paid for and got a renewal.  I have used this certificate to publish a new build of the Silverlight client.  When running the client and attempting to auto update it is failing with an error:

    Cannot update application, the installed application and update candidate differ in certificate/signature state.

    I'm guessing this is down to one of two issues:

    1. We've been given a faulty certificate when renewing and something with the new one doesn't match the old one so it can't perform the update.  In which case what do we need to say to our cert supplier to get something that works?

    2. The update process will only work if signed with the same certificate and if it expires then tough, you aren't able to perform any updates any further and require an uninstall/install to use the new certificate.

    I'm hoping it's number 1 and I can get this fixed as number 2 seems like a massive hole in functionality and we'll have many annoyed customers...

    Wednesday, August 5, 2015 3:06 PM

Answers

  • Hi Duncan Watts,

    As far as I know, if the old version and new version of the XAP file are signed with the same certificate, then the application will update automatically. And in below blog, it mentioned that "Unless, that is, the original application was not signed, or was signed with a different cert. In that case, the update would fail, and you would have to uninstall and then re-install the application:". Please check whether the renewal certificate is the same with the old one.

    http://blogs.msdn.com/b/mwade/archive/2011/06/13/lightswitch-application-client-configuration-and-signing.aspx

     

    Best Regards,

    Weiwei


    • Marked as answer by Angie Xu Monday, August 17, 2015 2:31 AM
    Thursday, August 6, 2015 7:16 AM
    Moderator

All replies

  • Hi Duncan Watts,

    As far as I know, if the old version and new version of the XAP file are signed with the same certificate, then the application will update automatically. And in below blog, it mentioned that "Unless, that is, the original application was not signed, or was signed with a different cert. In that case, the update would fail, and you would have to uninstall and then re-install the application:". Please check whether the renewal certificate is the same with the old one.

    http://blogs.msdn.com/b/mwade/archive/2011/06/13/lightswitch-application-client-configuration-and-signing.aspx

     

    Best Regards,

    Weiwei


    • Marked as answer by Angie Xu Monday, August 17, 2015 2:31 AM
    Thursday, August 6, 2015 7:16 AM
    Moderator
  • It's a different certificate as the old certificate had expired.  This is the second time we've renewed this but I don't recall having this issue when renewing before.  The subject of all three certificates is identical

    There is a change in that the prior certificates were SHA1 but the new one is SHA256 as you can no longer get SHA1 based certificates.  I'm guessing this may be the cause of the failed upgrade?

    Thursday, August 6, 2015 2:32 PM
  • Hi Duncan Watts,

    >> I'm guessing this may be the cause of the failed upgrade?
    Yes, the different certificates cause of the failed upgrade. The application upgrade is based on the certificates which should be in the same. If you can't get the same certificates, I'm afraid that you would have to uninstall and then re-install the application.
     
    Best Regards,
    Weiwei

    Friday, August 7, 2015 1:53 AM
    Moderator
  • So to confirm, it is not possible to migrate from a SHA1 based code signing certificate to a SHA256 code signing certificate for an out of browser Silverlight application?  Bearing in mind that SHA1 certificates are being deprecated by Microsoft.

    I have been able to migrate between SHA1 and SHA1 certificates in the past when renewing a certificate.

    Therefore I will have no choice but to have every single instance of the application which has been installed to be manually uninstalled and reinstalled in order to perform an update of the application.

    Monday, August 24, 2015 11:58 AM
  • Hi Duncan,

    Sorry to use your post for my question but you are for me like a unicorn :) so rare to let it go away !

    I'm currently trying to sign my Silverlight App with a SHA256 certificate (I didn't signed any app before that but I need it to be able to auto update our OOB app). I followed every tutorial I found on the web but nothing works with my app. 

    I have an official certificate bought from a Verisign authority, i have all the files needed, pfx, cert... I tried the famous signtool sign command line from John Papa's tutorial but it didn't work. I found that it was because of SHA256 encryption missing argument that I had to add to my command line.

    So now, I try with that command line : signtool sign /fd SHA256 mycert.pfx /p mypassword myApp.xap

    But when executing I have a crash popup from "Authenticode" that shows every time I launch the command.

    My question is : how do you sign your application ? Directly with Visual Studio ? (right clic on project then properties, then signing) or with a command line ?

    Thanks

    Steeve

    Thursday, October 29, 2015 12:58 PM
  • Hi Steve,

    I simply used the "Sign the Xap File" option in the Signing tab in the project properties, using "Select from File" to choose my PFX file.

    Duncan

    Thursday, October 29, 2015 2:14 PM