Why do I still see publisher unknown with the UAC prompt?

Question

I have made my own CA and then .pfx file. I am using the Wix Toolset to build the installer.

In the wix project file I have edited it with the following;

<PropertyGroup>
    <SignOutput>true</SignOutput>
</PropertyGroup> 

<PropertyGroup>
    <sourceRoot>$(OutputPath)..\..</sourceRoot>
</PropertyGroup>


<Target Name="SignMsi">
     <Exec Command='"$(sourceRoot)\Keys\signtool.exe" sign /v /f "$(sourceRoot)\Keys\myCA.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll /v /d "%(SignMsi.Filename)" "@(SignMsi)"' />
</Target>

<Target Name="SignCabs">
    <Exec Command='"$(sourceRoot)\Keys\signtool.exe" sign /v /f "$(sourceRoot)\Keys\myCA.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll /v /d "%(SignCabs.Filename)" "@(SignCabs)"' />
</Target>

I then build it in Visual Studio and it builds successfully and even the signing show success.

However at the UAC propmpt it is still publisher unknown.

Did you add your own CA to the Trusted Root Certification Authorities actually? — floele, Mar 29 '14 at 18:02
Yes I have - my CA has been added to Trusted Root Certification Authorities. But from my understanding this is not my questions. Publisher and Trust are two different things. I am not asking why my UAC prompt is not showing trust, I am asking why it does not show a Publisher. — darbid, Mar 29 '14 at 18:42
OK, does it "show trust" actually? Because if it doesn't, it won't show the publisher. — floele, Mar 29 '14 at 18:46
So if you rightclick the output file and select "properties", does it show the digital signatures tab and if so, what does it show? — floele, Mar 29 '14 at 18:52
Is this an actual real verified certificate from a 3rd party such as VeriSign? If it isn't then you'll get unknown publisher. It's not signed and trusted because you say so, it goes to a 3rd party web server to verify that the cert is valid. — PhilDW, Mar 29 '14 at 20:47
This is confusing stuff for example I read this http://stackoverflow.com/questions/7378661/how-to-get-a-trusted-verified-publisher — darbid, Mar 29 '14 at 21:16
Phil you have an impressive profile but if servers etc were involved that would mean a computer without the internet would never install anything with UAC prompts that showed trust and a publisher, further I am part of the many who don't believe Trust=$$$ which is all MS and their partners at Verisign do. — darbid, Mar 29 '14 at 21:56
If you use a certificate from a known trusted CA, you don't need an internet connection to verify it (the CA data is stored locally). "further I am part of the many who don't believe Trust=$$$" -> If you don't want to buy a certificate, you can't create a verified publisher setup. I believe whether or not you need it depends on how much trust your users have in you. You should read up on the basics: http://www.codeproject.com/Articles/325833/Basics-of-Signing-and-Verifying-code — floele, Mar 29 '14 at 22:28

score 6 · Answer 1 · answered Mar 29 '14 at 22:46

6

Based on the previous discussion, it looks like you are trying to sign an installer, distribute it to your users and expect the UAC to show your publisher name.

This will only work if you sign the setup package using a code signing certificate from a trusted certificate authority. You cannot use your own CA to create a certificate, because your CA is not known as trusted on your users' systems. If everyone could simply create its own CA, no one could never have any trust in signed code. You might only see this as a method of generating revenue, but a certificate really is not that expensive (<200 USD/yr). Since it can be used for signing as much code as you want, it shouldn't be a cost issue for reputable companies.

Further reading: http://www.codeproject.com/Articles/325833/Basics-of-Signing-and-Verifying-code

answered Mar 29 '14 at 22:46

floele

3,668
4
35
51

"This will only work if you sign the setup package using a code signing certificate from a trusted certificate authority" and what does this mean? It sounds like it means an Authority with some connection to Miscrosoft? It sounds like I'm mistaken in thinking that any CA certificate can be added to the operating system Certificate Store and trusted either for the user of computer and then the UAC will reflect it. – darbid Mar 30 '14 at 09:57
So "Unknown Publisher" means unknown publisher to Microsoft and its operating system process of registering with a recognised by MS Authority?? – darbid Mar 30 '14 at 10:01
In theory it should work if your CA is trusted on your computer, but I'm not sure if you did that correctly. Did you check in certmgr that your CA is in trusted root CAs? However, even if you do that, it won't help your users. "It sounds like it means an Authority with some connection to Miscrosoft?": Sort of. If you check the list in certmgr, you'll find companies like Verisign and Thawte. You need a cert from one of these trusted authorities. Google "code signing certificate" for more options buying one. In regard to your second comment: Sort of, yes. – floele Mar 30 '14 at 10:41
My goal is is to make my install and updates "clean" in a small office environment where I am not making any money so don't intend to spend any. My little app updates itself and all I want is that the user does see it comes from me. It seems simple enough, but people do hesitate when it says UNKNOWN PUBLISHER and it seems pretty stupid I cannot fill this with my name. So "in theory" I should be able to add my CA to any computer with certmgr into the trusted root CAs and this should do the job right? It is the case the people will trust me MORE than some MS certificate :-) – darbid Mar 30 '14 at 15:16
Yes, in theory that could work, but I am not sure if the UAC is interested in "custom" root certificates. Maybe there's a flag that identifies any certs added manually so prevent manipulation. I've haven't tried that yet so I can't tell you for sure whether or not it works. – floele Mar 30 '14 at 16:04
Success I have got it working. My Certificate was not made properly. now it is and guess what UAC trusts it and show the Publisher - of course the certificate is saved in the store. My understanding was correct my coding was not correct. – darbid Mar 30 '14 at 16:10

score 3 · Accepted Answer · answered Mar 30 '14 at 16:15

I want to answer this question myself as I think there is some pretty huge misunderstandings here. You can make your own certificate and add it to your own store and then the UAC will be blue/green and the publisher will be shown. 100% trust. Of course the key is that the CA certificate you made has to be in the store. This is the bit that causes the problem for deployment, but I hope that if I take my certificate along to other computers I can add it to the store and then I will be shown as the publisher.

I had a few issues with my certificate which I needed to fix. I knew I had issues by using

signtool verify /v /pa mysigned.exe

This told me that things were not correct and what to fix.

score 0 · Answer 3 · answered Aug 12 '16 at 18:33

0

I've also had this happen if the time is off on the computer. You can tell if this is the case by right-clicking to view the installer properties, and looking at the certificate. If it says the timestamp may be invalid, check the time on the computer.

answered Aug 12 '16 at 18:33

Daniel

3,243
2
32
31

Why do I still see publisher unknown with the UAC prompt?

3 Answers3

Linked