Clickonce app is signed but publisher is still unknown when downloading

5
votes

I have a valid unexpired code signing certificate (standard, not EV) that I have used to sign a click once app (.net 4.5) successfully and publish to a web server for download. When downloading this app, it shows the publisher name correctly. The problem is, after installing the code signing certificate on any other app, it shows the publisher name as "Unknown publisher" when downloading. There isn't any difference in how I'm installing the certificate and all apps get published to the same web server. When I open the .exe or manifest file when logged into the web server, it shows the publisher name correctly. Checking the "Digital Signatures" file properties shows that they are signed with the correct code signing certificate with sha256. Below are the steps I have used:

  1. Installed code signing certificate to click once app via the Signing tab and it is enabled (Visual Studio 2017 Pro).
  2. Code signing algorithm is sha256RSA with valid timestamp server (http://timestamp.comodoca.com/?td=sha256).
  3. Click once app assembly is not signed.
  4. Code signing certificate has been installed on dev machine (Windows 10 Pro 1809).
  5. Code signing certificate has been installed on web server in "Trusted Root Certification Authorities" and "Intermediate Certification Authorities" (Windows 2012 R2 using IIS 8) for the "Computer account".

On a side note, I exported the code signing certificate from Internet Explorer with SHA1 and installed it to the web server afterwards. There is a known issue that when the certificate has been exported to SHA256 and trying to import it to the web server, that the password for the file will always say incorrect. This happened to me, so I just imported the SHA1 version to the web server. Not sure if that would create any issues, but it is working for the one clickonce app ok.

Update: I noticed something peculiar if I go to the publish deployment URL and click the "Install" button. After the setup.exe has been downloaded for the clickonce apps with "Unknown publishers", I am presented with a more dire smart screen filter saying the file is not signed, but shows the correct publisher information below it. Checking the "digital signatures" property for the exe shows that it is signed properly.

2
certificateclickonceiis-8publisher
Can you share the executable? Are you saying you signed your app with a SHA-1 certificate? Those are deprecated. You might be in a situation where something signed before the deprecation date is still accepted as long as it's not expired, but something signed after the deprecation date is not accepted.kichik
If you can't share the file, can you run signtool verify /all old.exe new.exe and post the result of that?kichik
Thank you kichik for your responses. I ran a verify command on the setup.exe for all the apps, and each one showed a "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." message. I have the certificate installed on the web server and my local machine in the "Trusted Root Certification Authorities" store.Jakal
Do you have the root certificate in the trusted store? Who exactly created your certificates?kichik
I show the certificate installed on my local computer and web server in the "Trusted Root Certification Authorities" store. I was the one who created the certificate by using the documented process of downloading the certificate via Internet Explorer. It was issued by Sectigo RSA Code Signing CA and looking through all of the certificate properties, it shows that it is valid. Not even sure what to try next.Jakal

2 Answers

1
votes

My issue was caused by the publisher name not matching who my code signing certificate was issued to while having the "Use application manifest for trust information" option enabled within Visual Studio. Unchecking that option, or correcting the publisher name resolved the issue. This is further explained below:

Check whether your application manifest is being used for trust information (i.e. publisher name). If it is, make sure the Publisher name in the Description section matches who the certificate was issued to EXACTLY. If it does not match, you'll get an "unknown publisher" issue. This setting is located in Visual Studio in the "Publish" Tab. Click the "Options..." button, followed by the "Manifests" list item.

enter image description here

I would try unchecking the "Use application manifest for trust information" and see if that resolves the issue. If you do need the "Use application manifest" option checked, click the "Description" tab and make sure the "Publisher name" value matches the value of the name the code signing certificate is issued to EXACTLY.

Make sure publisher name matches who the code signing certificate was issued to

1
votes

I had the same issue - valid EV cert - publisher unknown at download - but install went smooth with no Windows Smart screen.

Changed the build tools from VS2017 to VS2019 seems to have fixed it -> happy.