1

I have compiled a VB6 app and I digitally sign it after compilation using a batch file containing this command:

signtool sign /f apt.pfx /p MyPassword d:\upload\service_pack_UK_BETA.exe

If I right-click the EXE I can see the digital signature in the file Properties. However if people download the file and try to run it in Windows 8 they get the message in SmartScreen that it's from an Unknown Publisher.

I have read articles such as this one http://social.msdn.microsoft.com/Forums/windows/en-US/00813d25-d258-40d8-b03a-c4468959f311/smartscreen-shows-unknown-publisher-even-though-signed-correctly-using-a-trusted-certificate?forum=winformssetup but the solution they recommend can't be achieved in VB6.

How can I sign the EXE so that SmartScreen will accept it?

Andy Groom
  • 619
  • 1
  • 7
  • 15
  • Who is the CA for your key? If the root is not trusted then it will indeed say it's "unknown". TLDR, don't self sign it. – Deanna Aug 06 '14 at 15:35
  • And is that included in the PFX? [Ours](http://www.icode.co.uk/icatcher/setup/Console.exe) is also Comodo without an issue. – Deanna Aug 06 '14 at 16:20
  • Just to clarify, are you downloading the VB6 executable directly (do you have a link?) or a setup that includes that executable? – Deanna Aug 06 '14 at 16:24
  • We have an Inno-compiled EXE which installs the product. That EXE is signed using the same certificate and runs OK in Windows 8. The "service pack" - at the moment - is a directly-downloaded VB6 EXE file rather than another Inno-compiled installer. So to answer your question it's the first thing ( http://www.andygroom.com/tcm4000aaa_service_pack_uk_beta.exe ) – Andy Groom Aug 06 '14 at 17:24
  • Unfortunately, that works fine for me on both Windows 7 and Windows 8.1 and no warnings from the SmartScreen checks. It does show your certificate name in the download window and the certificate path checks out ok (but has a different CA root to ours). – Deanna Aug 07 '14 at 07:41
  • I guess the certificate now has enough reputation to bypass the "not commonly downloaded" prompt. If your setup has been out for a bit, is there a chance that the VB exe wasn't signed correctly? – Deanna Aug 07 '14 at 07:43
  • Certainly the service pack has been available for years without a signature whereas the main installer EXE is relatively new and has always had a signature. Maybe that explains it. – Andy Groom Aug 07 '14 at 08:30
  • Either way, no longer an issue? Your method of signing the exe is fine and the same as ours (except that we specify a time stamping server) which is used for the application executables and the installer. – Deanna Aug 07 '14 at 09:30
  • Thanks for your help, I'll see if it rectifies itself, if not I'll rename the file and see if that fixes it. – Andy Groom Aug 07 '14 at 13:06
  • Have you confirmed whether it was an old or cached download yet? If so, this question should really be deleted. – Deanna Aug 12 '14 at 13:25

1 Answers1

1

See http://blogs.msdn.com/b/vsnetsetup/archive/2013/01/09/windows-smartscreen-prevented-an-unrecognized-app-from-running-running-this-app-might-put-your-pc-at-risk.aspx, specifically the last two sentences of the post

Once this is done, the SmartScreen will continue to warn about the application
until the certificate develops a reputation. But it would display a valid
publisher name instead of unknown publisher.

SmartScreen in Windows 8 maintains a list of valid and trusted publisher certificates (as well as whether the signed files are commonly encountered). When it encounters a new publisher certificate, even when the certificate chain is good and trusted, it won't be added to the list of trusted publishers until enough hits warrant it, what Microsoft calls SmartScreen Application Reputation.

Sources:

johnwait
  • 1,135
  • 7
  • 17
  • 2
    Andy's question was about the "Unknown publisher" despite being signed so this doesn't actually answer the question beyond "It should do". – Deanna Aug 08 '14 at 14:52