cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No Upgrade Scenario when Certificate Expires

TIMOTHY MANGAN
MVP

‎Jul 24 2020 08:17 AM

‎Jul 24 2020 08:17 AM

No Upgrade Scenario when Certificate Expires

Let's say you create a package (1.0.0.0), sign it, and deploy it.  6 months later you create an update (2.0.0.0), keep the package name the same and use the same cert to sign it.

 

Then prior to the next release of your software your certificate expires, so you go out and purchase a new one, keeping the same "Subject/Publisher". And now you want to release a new version of your package.  You can keep the package name the same, up the version string, and create version 3.0.0.0.

 

On a system with version 1 installed, if you install version 2 it  updates version 1. If you then install version 2, it does not work as an upgrade; the app is installed side by side. 

 

This is not a desired outcome, and should be addressed.

1,046 Views
4 Likes
6 Replies
Reply
6 Replies
John Vintzel

‎Oct 29 2020 11:34 AM

‎Oct 29 2020 11:34 AM

Re: No Upgrade Scenario when Certificate Expires

@TIMOTHY MANGAN

 

Lineage will continue if the publisher name is the same.  I suspect that in your scenario the publisher field in the manifest might be different, causing an issue and change to identity.  I think your feedback is there a way to keep continuity with my app in these situations?  If so that is great feedback and recommend that it be added to the ideas section.

 

John Vintzel (@jvintzel)
Program Manager Lead, MSIX

0 Likes
Reply
Sushant_Bansal

‎Jul 24 2023 04:00 AM

‎Jul 24 2023 04:00 AM

Re: No Upgrade Scenario when Certificate Expires

Hi Tim,

Did John's comment resolve your issue? Please let us know if you are still facing this. :)

Sushant Bansal (@susbansal)
Product Manager, MSIX
0 Likes
Reply
TIMOTHY MANGAN

‎Jul 24 2023 05:01 AM

‎Jul 24 2023 05:01 AM

Re: No Upgrade Scenario when Certificate Expires

No. The issue is that the publisher name must change in some situations.  Examples include:

  • My case where the public CAs changed their standards to what goes into the subject field of the purchased public certificate.  Which happened to me two years in a row.
  • Mergers and Aquisitions.

Subsequently, Microsoft introduced a method to support the upgrade scenario where the cert subject field changes, however this solution is often not possible.  That solution requires creating and signing a new file using the old certificate. But that must be done prior to the old certificate expiring.

 

As the paid for certificate is only good for a year (even if you purchase a "3-year" certificate, it is actually 3 1-year certificates), you don't want to get the new certificate until the old one is about to expire, so leaving enough time to get the new cert, discover the change, and figure out how to run that process on every app needing it before expiration is a challenge.  Especially when the cert CA has a glitch and takes a month to deliver the cert.

 

So, no, we don't have a workable solution other than to tell the users to uninstall/install.

0 Likes
Reply
Sushant_Bansal

‎Aug 07 2023 05:13 AM - edited ‎Aug 07 2023 05:13 AM

‎Aug 07 2023 05:13 AM - edited ‎Aug 07 2023 05:13 AM

Re: No Upgrade Scenario when Certificate Expires

This is great feedback Tim! I will get the team to investigate this.

While it is unfortunate that the public CAs changed their standards, do you think it is a frequently occurring scenario and likely to happen again?

Is it safe to say that most Developers/IT Pros using public CAs will face this issue?

 

Sushant Bansal (@susbansal)
Product Manager, MSIX

0 Likes
Reply
TIMOTHY MANGAN

‎Aug 07 2023 07:37 AM

‎Aug 07 2023 07:37 AM

Re: No Upgrade Scenario when Certificate Expires

It occurred to me twice in the last three years. This year's renewal went without additional changes, so perhaps it has settled down and they won't change their standards in the future.
0 Likes
Reply
Sushant_Bansal

‎Aug 08 2023 02:42 AM - edited ‎Aug 08 2023 02:42 AM

‎Aug 08 2023 02:42 AM - edited ‎Aug 08 2023 02:42 AM

Re: No Upgrade Scenario when Certificate Expires

Understood - thanks for explaining!

 

I will create a backlog item for this, and we can pick it up if it becomes a pain point in the future.

 

Thanks,

Sushant Bansal (@susbansal)

Product Manager, MSIX

0 Likes
Reply