I just acquired an EV code signing certificate.
I use the certificate through the ClickOnce signing tab/page of my project properties (selected from store). I deploy the files on a remote public FTP, where customers can download the setup.exe
bootstrapper. This work fine, and I get a greenlight prompt when running setup.exe
, but then I get a second prompt - the Microsoft Office Customization Installer - which indicates
Publisher has been verified
but keeps showing a yellow warning shield, and the following details:
While Office customizations from the Internet can be useful, they can otentially harm your computer. If you do not trust the source, do not install this software.
How can I go green?
I did check the files from publish folder: onlysetup.exe
is seen as signed by the DigiCert Certificate Utility. Other files are either not recognized as signable (AssemblyName.vsto, and FileName.dll.manifest), or are shown as not signed (FileName.dll.deploy). I guess this is because these files are signed via the Mage ClickOnce utility, which is distinct from signtool or any Authenticode signing technology?
Does it have something to do with signing, or is it by design for Office solutions that I cannot go green unless I am in the list of trusted publishers? Like this article seems to suggest.