Why do I still see publisher unknown with the UAC prompt?

StackOverflow https://stackoverflow.com/questions/22733092

  •  23-06-2023
  •  | 
  •  

Question

I have made my own CA and then .pfx file. I am using the Wix Toolset to build the installer.

In the wix project file I have edited it with the following;

<PropertyGroup>
    <SignOutput>true</SignOutput>
</PropertyGroup> 

<PropertyGroup>
    <sourceRoot>$(OutputPath)..\..</sourceRoot>
</PropertyGroup>


<Target Name="SignMsi">
     <Exec Command='"$(sourceRoot)\Keys\signtool.exe" sign /v /f "$(sourceRoot)\Keys\myCA.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll /v /d "%(SignMsi.Filename)" "@(SignMsi)"' />
</Target>

<Target Name="SignCabs">
    <Exec Command='"$(sourceRoot)\Keys\signtool.exe" sign /v /f "$(sourceRoot)\Keys\myCA.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll /v /d "%(SignCabs.Filename)" "@(SignCabs)"' />
</Target>

I then build it in Visual Studio and it builds successfully and even the signing show success.

However at the UAC propmpt it is still publisher unknown.

Was it helpful?

Solution 2

I want to answer this question myself as I think there is some pretty huge misunderstandings here. You can make your own certificate and add it to your own store and then the UAC will be blue/green and the publisher will be shown. 100% trust. Of course the key is that the CA certificate you made has to be in the store. This is the bit that causes the problem for deployment, but I hope that if I take my certificate along to other computers I can add it to the store and then I will be shown as the publisher.

I had a few issues with my certificate which I needed to fix. I knew I had issues by using

signtool verify /v /pa mysigned.exe

This told me that things were not correct and what to fix.

OTHER TIPS

Based on the previous discussion, it looks like you are trying to sign an installer, distribute it to your users and expect the UAC to show your publisher name.

This will only work if you sign the setup package using a code signing certificate from a trusted certificate authority. You cannot use your own CA to create a certificate, because your CA is not known as trusted on your users' systems. If everyone could simply create its own CA, no one could never have any trust in signed code. You might only see this as a method of generating revenue, but a certificate really is not that expensive (<200 USD/yr). Since it can be used for signing as much code as you want, it shouldn't be a cost issue for reputable companies.

Further reading: http://www.codeproject.com/Articles/325833/Basics-of-Signing-and-Verifying-code

I've also had this happen if the time is off on the computer. You can tell if this is the case by right-clicking to view the installer properties, and looking at the certificate. If it says the timestamp may be invalid, check the time on the computer.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top