Signed ClickOnce app throwing 'Unknown Publisher' with Windows 10

4
votes

The vast majority of our business users run Windows 7, and our ClickOnce application installs, updates and runs as it should without any pop-up warnings.

The same application is throwing up the following on Windows 10

Warning number one

Unknown Publisher

Of course 'More info' appears to be part of the text rather than something you can click with 'Don't run' appearing to be the only option

If you do click 'More Info' it states the publisher is unknown (although it displayed it just fine whilst updating!!!)

The Code Signing Certificate is valid and it still installs/updates and runs without warnings on Win 7 boxes.

Any ideas what they have changed now?

Thanks

enter image description here

4
visual-studioclickonce
did you figure out what is the issue?avs099
Yes and no. Yes, in that the exe now has to be signed as well as the manifest, and no in that I can't find the best way to do it without messing up the manifest signing. I'm assuming I need to export the certificate to a pfx file and add that to the project but can't find any documentation anywhere. There is some useful info here robindotnet.wordpress.com/2013/04/14/… robindotnet.wordpress.com/2013/02/24/…gchq

4 Answers

1
votes

I assume you are using Signing tab - but it only signs setup.exe - and not the actual application.exe file. This way you don't get a "warning" prompt when you install the app, but you get it when you run it. You need to sign application.exe separately - and there is no UI for that in Visual Studio, you need to use PostBuild task: https://stackoverflow.com/a/18636102/1246870

i'm not sure why this works okay in Windows 7 - in my case Win7 did not work as well - but based on your comment, this can be the solution...

0
votes

With many thanks to avs099 - have marked that as the answer as it got me the closest so far! I ended up using BeforePublish..

Using IE11 I exported the certificate to a directory ( Internet Options > Content > Certificates > Export ), then copied and pasted it into the project. Then unloaded the project and added the following between

<Target Name="BeforePublish">
</Target>

tags

<Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe&quot; sign /f &quot;MyCert_2016.pfx&quot; /p &quot;MySecretPassword&quot; /t http://timestamp.comodoca.com/authenticode &quot;C:\Users\MyName\My Documents\Visual Studio 2015\Projects\MyProject\MyProject\obj\Release\My.exe&quot;" />

Then reloaded the project - published and now it runs on Windows 10 without any objections - just as well as it had gone from blue warnings to red ones :-(

Red Warning

Between the answer by avs099 and this link I made sense out of it after lots of build errors - this site was informative but placed the certificate in a full path, not relative

0
votes

For the benefit of anyone facing this in 2021:

Don't use the Comodo/Sectigo timestamp server.

My issues went away when I switched to Digicert's server (use "http://timestamp.digicert.com" instead for the Timestamp Server URL).

Alternatively, you can leave the timestamp server blank -- but without a cryptographic timestamp, your code's signature will be invalid when the certificate expires. (With a timestamp, the signature will stay valid so long as it was valid when the timestamp was created.)

More details at Sectigo timestamp server always using SHA384 instead of SHA1.

0
votes

I see you are using sha1 certificate and sha1 is deprecated because of these reasons. If you have a sha256 cert you can use "http://timestamp.comodoca.com/?td=sha256". See more info...