This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
BNewell
Level 3
‎May 20, 2008 05:16 PM

Test digital signature isn't recognized in Vista?

Hello,

I've generated a test certification using the steps at http://msdn.microsoft.com/en-us/library/bb172338(VS.85).aspx, and am now trying to get Vista to stop displaying the "An unidentified program wants access to your computer" message.

I have tried both manually signing all of the cabs, MSI, and EXEs, as well as using the Release Wizard to input the signature. Either process seems to generate the expected result: files with what appears to be a correct digital signature when I look at their properties under Vista. Verifying the files with signtool from the Platform SDK also works as expected.

The fun begins when I try to test them on a Vista test machine. I have imported the test certificate to the Trusted Root Certification Authorities using certmgr.msc, and the signatures show up in the file properties of all of the installer files. However, whenever I run setup.exe, I get the previously mentioned error. It seems that Vista isn't recognizing the digital signature. Has anybody encountered this before, or have any suggestions as to how to track down the problem?

-Ben
Labels (1)
Labels
0 Kudos
(5) Replies
Roman1
Level 9
‎May 21, 2008 03:34 AM

Hello,
I use spc and pvk original Verisign files for signing my setup.

The publisher is not being shown in Vista UAC Window.
"Unknown publisher"
But the certificate is marked as ok.

If I sign setup.exe outside of dev using SignCode.exe Wizard,
Vista displays correct the publisher.

It must be a bug within isDev. Perhaps are some parameters
by call of SignCode not correct.
0 Kudos
MichaelU
Level 12 Flexeran
Level 12 Flexeran
‎May 21, 2008 10:17 AM

Test certificates yield packages which can be verified as signed, but are not trusted because the certificate chain isn't trusted. A package which is not trusted due to any of no signature, invalid signature, or untrusted certificate, will receive the "Unknown publisher" message.

I don't know what is wrong with the scenario Roman1 is describing; I haven't seen this, and am certain I've seen similar scenarios work both with IS12 and IS2008. It might be useful to compare the extended digital signature properties in explorer between the two signing methods looking for a difference.
0 Kudos
BNewell
Level 3
‎May 21, 2008 12:54 PM

First, thank you for the response!

You say that a test certificate will show up as "Unknown Publisher". Is that true even if I add my certificate to the Trusted Root Certificate Authorities?

If so, that introduces a new conundrum for me, as I need the installer to be trusted (on a test machine only) for Games For Windows testing, before we certify it.

-Ben
0 Kudos
MichaelU
Level 12 Flexeran
Level 12 Flexeran
‎May 22, 2008 10:43 AM

I'm not 100% certain. I suspect installing the certificate itself in the trusted list will result in it being trusted despite being under the test root. If so, this certificate's signatures can then be valid on that machine.
0 Kudos
BNewell
Level 3
‎May 22, 2008 11:03 PM

That's what I thought as well, but it doesn't seem to work. We're getting our key soon, so I'll revisit this when that arrives. Hopefully, this will just start working once I'm actually using a real CA, although I would have loved to have gotten a test implementation running first.

Thanks for the help.

-Ben
0 Kudos