Background
I'm doing research for my work on determining if WiX is a viable alternative to InstallShield. So I've been testing every scenario that our work has faced, to ensure that WiX can handle them. However, I'm stumped on one issue. When a certificate is about to expire, we'd need to create a patch that includes the new certificate, and signed by the old certificate before it expires, to allow for seamless patching without admin elevation prompts.
Problem
There isn't much documentation about how to do exactly this on the internet. I've tried adding
<DigitalCertificate Id="MyNewCertificate" SourceFile="{PATH_TO_NEW_CERTIFICATE}"/>
to the PatchCertificates element in wxs file for generating MSI files, then using the old and new MSI files to generate a MSP file. When I open the MSP file with 7zip, I can see that the new certificate is embedded in it. When I test it on a locked-down account, this patch was applied without elevation prompt, but the next patch that was signed by new certificate shows the elevation prompt.
What I've tried
I tried following the steps in https://wyrdfish.wordpress.com/2012/07/20/writing-a-parallel-update/ for creating a "parallel" update, but making modifications to have it work with PatchCreation, not Patch. I matched all the attribute changes, but it still shows the elevation prompt.
Wyrdfish commented saying "It's fun when the certificate expires though as you need to use a hotfix to deliver the new certificate which is signed by the old certificate before it expires so you can then sign by the new certificate in future patches. " in http://windows-installer-xml-wix-toolset.687559.n2.nabble.com/Require-admin-rights-to-msp-td7586837.html, but didn't provide details on how to do so. The thread is two years old, so I highly doubt I'd get a response there.
I also tried supplying /ac parameter in signtool.exe with the new certificate, but got cross-signing error.
What exactly am I doing wrong? In the new MSI file, there are no other changes, only the new DigitalCertificate element, which is reflected in the MSP. Do I need to include some kind of file change or something? Or is the signing process the issue?
Found the issue with my patching. For anyone who runs in similar issue, you need to have the ProductCode specified in the PatchCreation's PatchSequence element, it is the same GUID as the one used for ID of product for building MSI. I didn't have this reference, which apparently caused issues. Now it doesn't elevate for admin. Combine this with the steps instructed in the link provided in question, and you're set for LUA patching.