Certificate Bridging not working

[wixbot]

When testing to ensure that I can update certificates for when the old ones expire without elevating for admin access, I think I ran into a bug. No matter what I do, it always elevate on the patch that was signed by the new certificate.

In the wxs for creating MSI, I have this:

<PatchCertificates>
  <DigitalCertificate Id="MyCertificate" SourceFile="{PATH_TO_CERTIFICATE}"/>
</PatchCertificates>

I use two MSIs to create a MSP patch using "PatchCreation" (not Patch), and in the 2nd MSI, I added another DigitalCertificate entry that refers the new certificate. After creating the MSP, I verified that it contains the new certificate in the tables. It's signed with the old certificate. I was able to install this patch without being elevated for admin prompt.

However, when I create a new patch with the same approach described before, that doesn't contain the old certificate in the "PatchCertificate" element, and is signed by the new certificate that's added in the previous patch, it elevated for an admin login.

I compared my patch to ones that was created by InstallShield which works without elevating, I couldn't find any differences. Both tables contains the same entries (MSIDigitalCertificate), with the same certificate files, and signed by the same certificates with the same process. I carefully analyzed everything, and I can't figure out what's wrong. So I think this might be a bug with how WiX handles MSP.

I posted an question on Stack Overflow in hopes that maybe someone answered, it has some more details of what I've tried: http://stackoverflow.com/questions/31273553/supplying-a-new-certificate-in-wix-patch-when-old-one-expires

Originally opened by brentp

[wixbot]

It doesn't seem like it's a WiX bug but we'd need lots more detail and build and install logs to be sure. Have you tried building a .pcp with InstallShield to see if that produces the desired behavior? As you're not using pure-WiX patching, the only possibility is that WiX isn't building the .pcp file correctly. Please contact wix-users.

Release changed from v3.9 to v3.x
Resolution set to support
Status changed from Untriaged to Resolved

[wixbot]

I'm working on a sample installer that don't contain our files we're not ready to release yet, but are similar in the patch creation process. While doing so, I noticed two things:

For some reason, my process generates a new GUID for the Patch.wxs' PatchCreation Id attribute. Does patches have to have the same GUID for the Id?

The Family element contains DiskId and SequenceStart, both of which are unchanged between each patch (I have 10000 for both). Do they need to be modified/incremented for each patch?

If the above are not issues, I will post the sample msi/msp with logs, pcp, wxs, and other relevant files later when I'm done making them.

Originally posted by brentp

[wixbot]

Found the issue with my patching. For anyone who runs in similar issue, you need to have the ProductCode specified in the PatchCreation's PatchSequence element, it is the same GUID as the one used for ID of product for building MSI. I didn't have this reference, which apparently caused issues. Now it doesn't elevate for admin.

Originally posted by brentp