How can we verify an installer’s validity by checking its signature?
I'm working on some software that can be self-hosted, and it includes a component that can be downloaded and installed on end user machines (Windows only). The download comes from the self-hosted server, not from a central location, and that cannot change. How can we verify that the .msi the program downloads to update itself is valid? I can figure out the coding, but I don't know how to go about this from a security perspective.
Our installers are always signed by a valid code signing certificate from a trusted CA, so I could verify its validity and hardcode the valid certificate's hash into the software, but what happens when we have to renew the code signing cert? People on old versions of the software wouldn't be able to update to a version of the software whose installer was signed by a new cert because the certificate hash wouldn't match.
What is the correct way to verify our installers?
The thing I'm unsure of is verifying that the installer was actually signed by us. The installer is self-hosted and has auto-update capability, so it's possible that an end user could be pointed to an installer that was signed by someone other than us. We therefore need to verify that a) the .msi is signed with a valid signature, and b) it was signed by us and no one else. The second issue is the one I'm trying to solve.
