How to set the publisher name for a Windows Forms application

c# .net winforms setup-deployment
user847455 picture user847455 · Jul 29, 2011 · Viewed 40.1k times · Source

I have created the setup of a Windows Forms application. After installing this setup in Windows 7, it displays something like this:

Name: my application.exe  
Publisher: unknown publisher  
Type: application  
From: my application.exe

I want to set the publisher name. How do I set the publisher name?

Answer

Hand-E-Food picture Hand-E-Food · Jul 29, 2011

You need to digitally sign the output code. I can start you off with the article Signing and Checking Code with Authenticode.

The whole purpose of this is to guarantee your code has not been tampered with. If you purchase a code signing certificate from one of the certificate authorities, you can prevent the "do you trust this" window from appearing at all.

It's not a simple task to set up, but it can be performed with a script once it's up and going.
You won't find a simple, quick-fix answer.

Here's a cut and paste of the most relevant sections. You may need to read further to get exactly what you want.

MakeCert

Use the MakeCert test program to generate a test X.509 certificate. MakeCert performs the following tasks:

  1. Creates a public/private key pair for digital signatures and associates it with a name that you choose.
  2. Associates the key pair with a publisher's name that you choose.
  3. Creates an X.509 certificate , signed by the test root key or one you specify, that binds your name to the public part of the key pair. The certificate is output to a file, a system certificate store, or both.

MakeCert Internet Explorer 3.02 UPD Example

The following is an example that creates a certificate using the Microsoft Internet Explorer 3.02 UPD options:

MakeCert -k:c:\KeyStore\MyKey.pvk -n:CN=MySoftwareCompany Cert.cer

In this example, a certificate file called Cert.cer is created. The public part of the key pair called MyKey is bound to the publisher, MySoftwareCompany.

Cert2SPC

After you have generated a certificate, you can create an software publishing certificate with the Cert2SPC program. This program wraps multiple X.509 certificates into a PKCS #7 signed-data object. Note that this program is for test purposes only. A valid software publishing certificate is obtained from a certificate authority. Here is an example:

Cert2SPC MyCert.cer MyCert.spc

This wraps an X.509 certificate, MyCert.cer into a PKCS #7 software publishing certificate called MyCert.spc.

SignCode

The final step is to actually sign a file using the SignCode program. This program will:

  1. Create a Cryptographic Digest of the file.
  2. Sign the digest with your private key.
  3. Copy the X.509 certificates from the software publishing certificate into a new PKCS #7 signed-data object. The PKCS #7 object contains the serial numbers and issuers of the certificates used to create the signature, the certificates, and the signed digest information.
  4. Embed the object into the file.
  5. Optionally, it can add a time stamp to the file. A time stamp should always be added when signing a file. However, SignCode also has the ability to add a time stamp to a previously signed file subject to some restrictions (see the examples that follow the options table).

Once the file has been signed (assuming you have a valid certificate) and time stamped, the file can be distributed to your customers. Note that certificates generated with the test programs MakeCert and Cert2SPC are NOT valid for signing code that will be distributed to the public. Independent software vendors must obtain a certificate from GTE, VeriSign Inc., or another certification authority for signing code that will be distributed to the public.

SignCode Examples for Internet Explorer 3.02 UPD

Here are two examples of how to sign and time stamp a file using the Microsoft Internet Explorer 3.02 UPD options. The first uses a private-key name MyKey and the second uses a private-key file My.pvk:

SignCode -prog MyControl.exe -spc Cert.spc -pvk MyKey -timeStamper http://timestamp.verisign.com/scripts/timstamp.dll
SignCode -prog MyControl.exe -spc Cert.spc -pvk My.pvk -timeStamper http://timestamp.verisign.com/scripts/timstamp.dll

Note In the URL above, timstamp.dll is correct. This is not a typographical error.

In both cases a PKCS #7 object, Cert.spc, is embedded into the digest of the file, MyControl.exe. In the first example, the digest is signed with the private key of the MyKey key pair, and a time stamp is added. In the second example, the digest is signed with the private-key file My.pvk, and a time stamp is added.

Related questions

How do I make a textbox that only accepts numbers?

I have a windows forms app with a textbox control that I want to only accept integer values. In the past I've done this kind of validation by overloading the KeyPress event and just removing characters which didn't fit the …

Read More
How do I update the GUI from another thread?

Which is the simplest way to update a Label from another Thread? I have a Form running on thread1, and from that I'm starting another thread (thread2). While thread2 is processing some files I would like to update a Label …

Read More
Get current folder path

I want to create a program that converts files. I would like the user to be able to place the executable file in any directory, and when executing that program (double-clicking on the .exe) I want the program to process …

Read More