4

The vast majority of our business users run Windows 7, and our ClickOnce application installs, updates and runs as it should without any pop-up warnings.

The same application is throwing up the following on Windows 10

Warning number one

Unknown Publisher

Of course 'More info' appears to be part of the text rather than something you can click with 'Don't run' appearing to be the only option

If you do click 'More Info' it states the publisher is unknown (although it displayed it just fine whilst updating!!!)

The Code Signing Certificate is valid and it still installs/updates and runs without warnings on Win 7 boxes.

Any ideas what they have changed now?

Thanks

enter image description here

gchq
  • 1,603
  • 2
  • 27
  • 52
  • did you figure out what is the issue? – avs099 Sep 23 '15 at 02:51
  • Yes and no. Yes, in that the exe now has to be signed as well as the manifest, and no in that I can't find the best way to do it without messing up the manifest signing. I'm assuming I need to export the certificate to a pfx file and add that to the project but can't find any documentation anywhere. There is some useful info here https://robindotnet.wordpress.com/2013/04/14/windows-8-and-clickonce-the-definitive-answer-revisited/#comment-13006 https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/ – gchq Sep 23 '15 at 12:05

5 Answers5

1

I assume you are using Signing tab - but it only signs setup.exe - and not the actual application.exe file. This way you don't get a "warning" prompt when you install the app, but you get it when you run it. You need to sign application.exe separately - and there is no UI for that in Visual Studio, you need to use PostBuild task: https://stackoverflow.com/a/18636102/1246870

i'm not sure why this works okay in Windows 7 - in my case Win7 did not work as well - but based on your comment, this can be the solution...

Community
  • 1
  • 1
avs099
  • 10,937
  • 6
  • 60
  • 110
  • Currently it signs the manifest (which was all that Win 7 and below needed as everything in the manifest was deemed to be OK) but not the exe - so Windows 10 will allow it to be installed without any warning, but then not allow the exe to run. I'll check out your link - thank you for your reply – gchq Sep 23 '15 at 16:39
  • ah - then yes, this solution should fix your issue. – avs099 Sep 23 '15 at 18:51
  • The part I am missing is directing it to the certificate (the project uses this from the certificate store). I tried modifying the project file but just get a build error "No certificates were found that met all the given criteria" - my feeling is that I need to export the certificate to a pfx file, add that to the project then point the signtool to that but there is no clear reference anywhere - on top of that for some people it throws the toys out of the playpen on post-build, others on pre-build... Sigh.... – gchq Sep 23 '15 at 20:20
1

In case anyone ends up here while googling in 2022:

I renewed my certificate (SHA384) and got the same "Unknown Publisher" warning.

I tried several timestamping servers, fresh new project but ClickOnce publishing was always using sha1 digest for signing the exe, setup and manifest.

Turns out its a bug in MSBuild < 17.0

Even the latest Version of VS2019 didn't work (MSBuild 16) so i had to upgrade to VS2022 Community.

Hint: The Sectigo timestamp server http://timestamp.sectigo.com seems to work fine

Leerhuelle
  • 21
  • 2
0

With many thanks to avs099 - have marked that as the answer as it got me the closest so far! I ended up using BeforePublish..

Using IE11 I exported the certificate to a directory ( Internet Options > Content > Certificates > Export ), then copied and pasted it into the project. Then unloaded the project and added the following between

<Target Name="BeforePublish">
</Target>

tags

<Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe&quot; sign /f &quot;MyCert_2016.pfx&quot; /p &quot;MySecretPassword&quot; /t http://timestamp.comodoca.com/authenticode &quot;C:\Users\MyName\My Documents\Visual Studio 2015\Projects\MyProject\MyProject\obj\Release\My.exe&quot;" />

Then reloaded the project - published and now it runs on Windows 10 without any objections - just as well as it had gone from blue warnings to red ones :-(

Red Warning

Between the answer by avs099 and this link I made sense out of it after lots of build errors - this site was informative but placed the certificate in a full path, not relative

gchq
  • 1,603
  • 2
  • 27
  • 52
  • i'm unclear sorry - have you got it working, or you just got red screen instead of blue? – avs099 Sep 23 '15 at 22:16
  • 1
    At the moment it's working with one of our internal apps - going to try it shortly with a customer one - just need to pick the right time in case it goes pear shaped and I have to reach for the brandy......... – gchq Sep 23 '15 at 23:12
  • 1
    Just tried it with a commercial app - and yay! So far everything is working - updated and ran in Win 10 without any pain in the rump warnings! – gchq Sep 23 '15 at 23:26
0

For the benefit of anyone facing this in 2021:

Don't use the Comodo/Sectigo timestamp server.

My issues went away when I switched to Digicert's server (use "http://timestamp.digicert.com" instead for the Timestamp Server URL).

Alternatively, you can leave the timestamp server blank -- but without a cryptographic timestamp, your code's signature will be invalid when the certificate expires. (With a timestamp, the signature will stay valid so long as it was valid when the timestamp was created.)

More details at Sectigo timestamp server always using SHA384 instead of SHA1.

user2006616
  • 161
  • 1
  • 4
  • Can you clarify why using Comodo/Sectigo's timestamp server is discouraged? – Casey Mar 31 '21 at 00:16
  • Conjecture, but comodo always seems to generate a SHA384 timestamp (according to that link) which it seems ClickOnce will not work with. Digicert's server generates SHA256 timestamps, at least when Visual Studio asks! – user2006616 Mar 31 '21 at 02:10
0

I see you are using sha1 certificate and sha1 is deprecated because of these reasons. If you have a sha256 cert you can use "http://timestamp.comodoca.com/?td=sha256". See more info...

Chris
  • 1,101
  • 8
  • 13
  • The original question was asked nearly six years ago, before SHA1 was depreciated. Currently it is using sha256RSA that expires in, almost exactly, 12 months. – gchq Jul 12 '21 at 21:09