Jul 24 2020 08:17 AM
Let's say you create a package (1.0.0.0), sign it, and deploy it. 6 months later you create an update (2.0.0.0), keep the package name the same and use the same cert to sign it.
Then prior to the next release of your software your certificate expires, so you go out and purchase a new one, keeping the same "Subject/Publisher". And now you want to release a new version of your package. You can keep the package name the same, up the version string, and create version 3.0.0.0.
On a system with version 1 installed, if you install version 2 it updates version 1. If you then install version 2, it does not work as an upgrade; the app is installed side by side.
This is not a desired outcome, and should be addressed.
Oct 29 2020 11:34 AM
Lineage will continue if the publisher name is the same. I suspect that in your scenario the publisher field in the manifest might be different, causing an issue and change to identity. I think your feedback is there a way to keep continuity with my app in these situations? If so that is great feedback and recommend that it be added to the ideas section.
John Vintzel (@jvintzel)
Program Manager Lead, MSIX
Jul 24 2023 04:00 AM
Jul 24 2023 05:01 AM
No. The issue is that the publisher name must change in some situations. Examples include:
Subsequently, Microsoft introduced a method to support the upgrade scenario where the cert subject field changes, however this solution is often not possible. That solution requires creating and signing a new file using the old certificate. But that must be done prior to the old certificate expiring.
As the paid for certificate is only good for a year (even if you purchase a "3-year" certificate, it is actually 3 1-year certificates), you don't want to get the new certificate until the old one is about to expire, so leaving enough time to get the new cert, discover the change, and figure out how to run that process on every app needing it before expiration is a challenge. Especially when the cert CA has a glitch and takes a month to deliver the cert.
So, no, we don't have a workable solution other than to tell the users to uninstall/install.
Aug 07 2023 05:13 AM - edited Aug 07 2023 05:13 AM
This is great feedback Tim! I will get the team to investigate this.
While it is unfortunate that the public CAs changed their standards, do you think it is a frequently occurring scenario and likely to happen again?
Is it safe to say that most Developers/IT Pros using public CAs will face this issue?
Sushant Bansal (@susbansal)
Product Manager, MSIX
Aug 07 2023 07:37 AM
Aug 08 2023 02:42 AM - edited Aug 08 2023 02:42 AM
Understood - thanks for explaining!
I will create a backlog item for this, and we can pick it up if it becomes a pain point in the future.
Thanks,
Sushant Bansal (@susbansal)
Product Manager, MSIX