Publisher Unknown after successfully running signTool

windows installation windows-installer signtool
Kris picture Kris · Jun 18, 2012 · Viewed 13.6k times · Source

I'm trying to create a test certificate and sign a .MSI file I have created. I need to get the test version working with a signed .MSI before we can purchase a real security certificate.

I have performed the following steps to sign my .MSI file. Everything completes successfully and it displays a message that 1 file was successfully signed after the last step. 

makecert.exe -sv c:\Test\mykey.pvk -n "CN=WTS" c:\Test\myCert.cer

cert2spc.exe c:\Test\mycert.cer c:\Test\mycert.spc

pvk2pfx -pvk c:\Test\mykey.pvk -pi password -spc c:\Test\mycert.spc -pfx c:\Test\mycert.pfx -po password

signTool sign /f c:\Test\mycert.pfx /p password /v c:\Test\test.msi

After performing these steps, I run the .MSI file (the date modified for the .MSI does change to match the time the signTool step was ran). The warning message saying this .MSI is from an unknown publisher is still displayed as is "Publisher: Unknown".

Did I miss a step or something? Everything seems to work correctly, I never see any errors, but my file doesn't appear to be signed.

Answer

Jirka Hanika picture Jirka Hanika · Jun 18, 2012

Your file is signed. Windows declares the publisher as unknown because it does not trust the publisher identification in the signature.

Remember that in the world of digital signatures, you always need to verify at least two things at once or the whole exercise is meaningless. You must check the name on the signature, and you also need to find a trust link from something that you already trust (for example, a certification authority, or a certificate manually added as trusted) up to the signature that you are checking. Only then it makes sense to trust the name on the signature, and perhaps to display it to the operating system user.

In your web browser, go to Tools / Internet Options / Content / Publishers / Certificates and add your test certificate to Trusted Publishers.

(Another browser might have the same function under Settings / Show Advanced Settings / HTTPS/SSL / Manage Certificates.)

And retry. It won't work but I don't really know why and it is an instructive game.

It is not clear whether there is a way on Windows to establish a chain of trust if your certificate is home-made and there is no certification authority to back it. This source says:

If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."

You can however create your own certification authority as described here and add the CA certificate under the Trusted Root Certification Authorities. By doing this you are basically letting any certificate issued by that CA sign anything and be trusted by Windows.

Related questions

How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting warning"

My company distributes an installer to customers via our website. Recently when I download via the website and try to run the installer I get the warning message: Windows protected your PC Windows Defender SmartScreen prevented an unrecognized app from …

Read More
Creating a MSI patch (.msp) by hand?

Our team has recently been considering pushing out a minor registry fix to users to modify one particular problematic key. Pretty straightforward stuff, just needed to update 1 key/value inside the registry. So at the moment, we are using Wix …

Read More
How to change the Windows service startup type in a WiX installer

We need to modify the Startup type of our Windows service from "Automatic" to "Automatic Delayed Start". How do I do this? My code is like this: <ServiceInstall Id="WinServiceInstall" Name="ServiceManager" DisplayName="ServiceManager" Type="ownProcess" Start="auto" ErrorControl="…

Read More