On WPF installer project build generates setup.exe and it is being signed using Signtool on PostBuldEvent. It does show Publisher as unknown on UAC popup at the very last step of setup.exe.
Can someone help me to fix this ?
Asked
Active
Viewed 1,647 times
2
Krrish
- 135
- 15
-
"Unknown" means that the publisher is not trusted. Did you add the certfificate that you signed the app with to Trusted Publishers on the client machine? – mm8 Nov 19 '21 at 14:28
-
No, I did not install the certificate on the client's machine. – Krrish Nov 22 '21 at 12:38
1 Answers
1
MSI vs Setup.exe: You should sign the MSI file as well as the Setup.exe file.
Certificate Type: What kind of certificate are you using? I believe you need a digital code-signing certificate from a recognized issuing authority (DigiCert, Thawte, etc...).
- EV-code signing certificate (please visit this link).
- Why do I still see publisher unknown with the UAC prompt?
- Get a code signing certificate
Signtool.exe: If you have a valid certificate, are you using the /d option to the command line of signtool.exe when signing your MSI?:
signtool.exe /d "Your Software Name"
How to add publisher in Installshield 2018
Trust Yet Verify: When you have signed the file, right click it and select "Properties" to make sure the file is actually successfully signed. Look for the tab "Digital Signatures" (or equivalent in your own language):
Administrative Installation: Sometimes people forget that they have run an MSI through an administrative installation. This is essentially a file extract from the MSI resulting in a new MSI without the embedded CABs in the output location (more). This extracted MSI will not be signed - even if the original MSI was signed. This extracted source is used in many companies to keep the installation files on a networks share available for repair and inspection (and during application packaging to inspect the package content - and other purposes).
Post-Processing MSI: This is actually a very common issue: you must never touch a file that has been digitally signed. If you edit it after the signature has been applied this invalidates the signature. The whole point of digital signatures is to verify that the file you look at is the one that was signed by the vendor. In other words that the file has not been changed in transit to you (tampering, malware infection, etc...). More on this important issue here (attempted humor in there). Note that the tampering might happen via automation scripts and not by manual editing, hence one must always check for this cause.
Other Issues: There are also some other possibilities. The signed file could be corrupted during download or from malware attack and such things. Far beyond the question, but just mentioned for whoever might find this.
Links:
- Is it possible to define a Windows Installer-uninstaller filename?
- Installshield Custom Dialogue Installer
- How can i generate windows certificate so my msi doesn't shows warning to users
Further Links:
Stein Åsmul
- 39,960
- 25
- 91
- 164
-
Thanks for the detailed explanation. I am using a valid code sign certificate from GoDaddy and I can see the digital signature details of .msi and .exe under properties. using command to sign - signtool sign /td SHA512 /tr http://timestamp.digicert.com /f ApplicationSigning.pfx /p PfxPassword Setup.msi Done Adding Additional Store Successfully signed: Setup.msi – Krrish Nov 22 '21 at 12:41
-
Does this mean your setup works correctly now? It is not 100% clear to me. – Stein Åsmul Nov 22 '21 at 13:04
-
No actually, still see "unknown" as publisher. I see the correct publisher name when I create ClickOnce setup. – Krrish Nov 22 '21 at 13:29
-
Did you try the `/d "Software Name"` option for the `Signtool.exe` command as shown in the answer? – Stein Åsmul Nov 22 '21 at 17:48
-
I am able to use /d. I could able to figure out where is it getting unknown from. I have a x64 compatible msi file and using below command to sign - -- "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\signtool.exe" sign /tr "http://timestamp.digicert.com" /td SHA256 /f "$(ProjectDir)Cert.pfx" /p KeyCode "Project.msi" . When I check the Properties->Digital Signatures-> Details-> here is I see, Digital signature is not valid. and here when I click "View Certificate" I am getting "the digital signature of the object did not verify" message. Any idea, what could be causing it? – Krrish Nov 23 '21 at 08:57
-
-
Thanks Stein. I could able to fix the problem. I was actually modifying msi file after signing msi file. That was breaking digital signature. I moved that vbscipt up and then signed msi file. This fixes problem. – Krrish Nov 23 '21 at 12:10
-
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/239479/discussion-between-stein-asmul-and-krrish). – Stein Åsmul Nov 23 '21 at 12:15