Publisher Unknown after successfully running signTool

Question

I'm trying to create a test certificate and sign a .MSI file I have created. I need to get the test version working with a signed .MSI before we can purchase a real security certificate.

I have performed the following steps to sign my .MSI file. Everything completes successfully and it displays a message that 1 file was successfully signed after the last step.

makecert.exe -sv c:\Test\mykey.pvk -n "CN=WTS" c:\Test\myCert.cer

cert2spc.exe c:\Test\mycert.cer c:\Test\mycert.spc

pvk2pfx -pvk c:\Test\mykey.pvk -pi password -spc c:\Test\mycert.spc -pfx c:\Test\mycert.pfx -po password

signTool sign /f c:\Test\mycert.pfx /p password /v c:\Test\test.msi

After performing these steps, I run the .MSI file (the date modified for the .MSI does change to match the time the signTool step was ran). The warning message saying this .MSI is from an unknown publisher is still displayed as is "Publisher: Unknown".

Did I miss a step or something? Everything seems to work correctly, I never see any errors, but my file doesn't appear to be signed.

Answer 1

Your file is signed. Windows declares the publisher as unknown because it does not trust the publisher identification in the signature.

Remember that in the world of digital signatures, you always need to verify at least two things at once or the whole exercise is meaningless. You must check the name on the signature, and you also need to find a trust link from something that you already trust (for example, a certification authority, or a certificate manually added as trusted) up to the signature that you are checking. Only then it makes sense to trust the name on the signature, and perhaps to display it to the operating system user.

In your web browser, go to Tools / Internet Options / Content / Publishers / Certificates and add your test certificate to Trusted Publishers.

(Another browser might have the same function under Settings / Show Advanced Settings / HTTPS/SSL / Manage Certificates.)

And retry. It won't work but I don't really know why and it is an instructive game.

It is not clear whether there is a way on Windows to establish a chain of trust if your certificate is home-made and there is no certification authority to back it. This source says:

If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."

You can however create your own certification authority as described here and add the CA certificate under the Trusted Root Certification Authorities. By doing this you are basically letting any certificate issued by that CA sign anything and be trusted by Windows.

Answer 2

This can also happen if you have not used the switch "/d" to specify a description when signing the package. See more details under "sign Command Options" on this page: http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx

Answer 3

I had the same problem and found that Microsoft is no longer trust certificates with "sha 1" algorithm.

I solved the problem by asking my CA to replace the cerificate.