I have properly signed .msi that user can download from a web server. When the user runs it Windows gives her a warning about "Unknown Publisher". However if she looks at file properties ("Digital signatures") proper signature and certificate are in place. Cert path is VeriSign -> VeriSign Class 3 Code Signing 2010 CA -> My Company. We expect the user to see correct "My Company" name instead of "Unknown Publisher" in that dialog box. What is the reason for unexpected behavior?
1
votes
I have the same problem: I have, however, noticed that if you examine the certificate via File->Properties, and re-run the installer, this time the Unknown Publisher warning does not appear: you get the correct, blue dialog. I have only seen this on Window 7. S2012 and Win8 behave correctly.
– perlyking
Exactly what I found! If you check the certificate through the properties of the installer, than on a consecutive run it "magically" appears to be from the correct known by the CA publisher... Unfortunately I can verify that this isn't the only version of Windows that exerts the same behavior - I observe the same issue on Vista. Have you guys managed to figure this out?
– Nikolay Tsenkov
Commenting to confirm that (in Windows 7) viewing Properties on an installer works to clear the "Unknown Publisher" notice. And adding that you only have to go as far as the "Digital Signatures" pane, select the signature from the list, and press the "Details" button. Don't have to do the next step in, which would be "View Certificate" in the "Digital Signature Details" window.
– Dr Marble
1 Answers
0
votes
I solved this problem by using the /ac switch for signtool. This switch takes a path to a certificate file, and allows you to add an additional certificate to the signature block of the signed file. I used "/ac AddTrustExternalCARoot.crt" to add Comodo's Root Code Signing (SHA-2) certificate to my msi file. I tested this on Windows 7 where I was having the problem.
The /ac switch is intended for signing kernel code, but it is also necessary to fix this issue. You'll still need to use /f or one of the other switches to use your code signing certificate.
