I have prepared my MSI package using the Advanced Installer and then signed it using the SignTool:
signtool sign /debug /f "cert.pfx" /fd SHA256
/p "<pass>" /t http://timestamp.comodoca.com/authenticode "<file.msi>"
But, when other user is downloading the signed MSI via web-browser and to install it, the next message occurs:
My MSI has the next attributes:
- digital signature, which was generated with paid/commercial certificate (Comodo)
- timestamp
- there was used SHA-256 instead of SHA-1, because the last one is insecure in latest Windows
So, the main question is the next:
Why doesn't Windows recognize my signed MSI as well-known, if I have signed it with the commercial code-signing certificate?
PS
If you're interested in, which the version of Windows is used, then answer is the latest Windows 10.
About last one option from list, there is an interesting link, I shall quote some text from it:
Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.
