|
Henk H
Posts: 27
Joined: 2022-08-03
|
Hi Add-in Express team,
I inherited an add-in express project that makes use of the automatic update functionality. We have a somewhat complicated build automation pipeline, and I neither understand all the details of what we're doing, or how add-in express is working, so please bear with me if I get on the wrong track.
The update functionality is working well for us, but our EV code signing certificate is expiring and needs to be renewed. I've been told that this might pose a problem for our auto-updater, since it may lead to a match failure between the certificate that was used to sign the product currently installed with our customers, and the certificate used to sign the version_info.xml file.
Could you please advise on how to correctly perform certificate rotation without breaking the update process?
Our build pipeline looks roughly as follows:
* invoke msbuild build our solution
* use signtool to sign the built dlls
* invoke msbuild on the wixproj to build an installer
* use signtool to sign the msis
* update our adxpublixer.exe.configs for each supported language with the certificate name and certificate thumbprint of the certificate used to sign the binaries
* run adxpublisher.exe to create web installers for each supported language
Then we publish the web-installers, msis and version_info.xml to the configured location
Will this keep working when our current code signing certificate expires? Or do we need to do something to correctly transition to a new certificate? |
|
|
Henk H
Posts: 27
Joined: 2022-08-03
|
|
Perhaps worth adding here, since I don't really know what gets checked on the upgrade, the new certificate is issued by the same issuer, and is signed with the same intermediate chain to the root. |
|
|
Henk H
Posts: 27
Joined: 2022-08-03
|
|
Do you have any ideas on this one? |
|
|
Andrei Smolin
Add-in Express team
Posts: 19169
Joined: 2006-05-11
|
Hello Henk,
After you change the certificate, the old versions won't run. You can publish a new version (V1) signed using the old certificate to the old location; the Installation URL should be different. Then you can sign the new version (V2) using the new certificate an publish it to the new location. In this case, the old installers will run, find V1, install it, it will find V2 and install it.
Regards from Poland (GMT+2),
Andrei Smolin
Add-in Express Team Leader |
|
|
Henk H
Posts: 27
Joined: 2022-08-03
|
Thanks Andrei!
I'll see if this works for us. Will this have to be the procedure for every yearly certificate rotation? When we order a renewed certificate, it would then look like
1. I create a transitional installer, signed with the old certificate, identical to the last version, but with the url set to the new location. Add this installerer to the version_info.xml, sign the version_info.xml with the old certificate, and publish it to the old location.
2. If I understand correctly, at this point the new version will show as available, and customers will see an update prompt. If they use the update prompt, they will find a install the new version, identical to the previous version, but looking at the new location for version_info.xml
3. Create the new installer, signed with the new certificate, add this version to version_info.xml, and sign that with the new certificate. This will show up as available from the transational version created in 1.
Originally, I understood that when the version_info.xml is signed with a different certificate than the one that the installer doing the download was signed with, it would show a version mismatch, which I believed was the mechanism through which the installer avoids a MITM attack from highjacking the new version of the installer, but if I understand you correctly, this is not what happens, since for V1 to be able to download V2, it will not be signed with the same certificate. Maybe I'm misunderstanding the security model.
As a complication, at this moment, our old certificate has already expired, so we won't be able to create a transitional installer signed with the old certificate that is still valid. would there be any workaround for that? |
|
|
Andrei Smolin
Add-in Express team
Posts: 19169
Joined: 2006-05-11
|
Hello Henk,
You create and publish installers. Until you publish the new installer, the old add-in won't notify the user.
To check if an update exist, Add-in Express uses the old certificate. When an update is being installed, it checks the integrity of its own and compares certificates in version_info and adxloader.dll.manifest.
Henk H writes:
would there be any workaround for that?
Alas, uninstalling manually only.
Regards from Poland (GMT+2),
Andrei Smolin
Add-in Express Team Leader |
|
Forums
Topics
Search
Help
Login
Register