Why would a digitally signed executable be treated as unsigned until viewing certificate details

Question

I'm getting a very odd result when running an executable that has been digitally signed.

The executable was signed using signtool.exe using a proper level 2 code signing certificate (not self-generated).

Testing on a Windows 7 machine, if i launch the signed executable, I get the windows warning dialog saying Publisher Unknown (i.e. not signed).

However, if i then cancel and right-click on the executable and go to Properties -> Digital Signatures, the Signature list shows the signed certificate, which i can then click on and choose "Details" to view the details of the signature, which is shown as "The digital signature is OK".

At that point, if i launch the executable, now all of a sudden windows properly recognizes that the exectuable is signed and reports the correct "Verified Publisher".

It seems like maybe Windows wasn't checking the certificate online until i went to view the actual certificate details from the properties dialog of the executable (note that it wasn't just a delay after launching the executable, it doesnt matter how long i wait or how many times i launch it, it treats it as unsigned until i go into Properties / Digital signatures of the file).

This a generic Windows 7 install I use for testing -- it hasn't been modified or tweaked in any way.

This behavior seems to defeat the main purpose of code signing on Windows-- how can it be that the executable is treated as unsigned unless the user knows to go into the right-click properties and digs around for a certificate.

Is there something I'm missing? Some way to mark the executable as one that Windows should actively go check the certificate of when executed?

Answer 1

Most likely OCSP revocation couldn't be checked automatically for whatever reason (connectivity problems etc). You need to perform the tests on more systems in order to narrow down the problem.