I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
Related
I have made free software and converted it into an NSIS installer. But the issue is that when users download the setup.exe first they get chrome warning not commonly downloaded and it is dangerous file with a keep button hidden under an arrow button.
Even if they choose to keep the file, when opening the installer, the windows SmartScreen shows up warning the users again.
Is there a way can I get past these two for free? I mean I don't charge my users anything.
I only know a way to bypass the download warning. However it is not the prettiest solution, but I am currently using this while researching other possibilities.
My way to bypass the SmartScreen download filter is to bundle your setup.exe into a .zip for instance and then download the zip file instead and then the users can run the setup.exe from within. After some testing and feedback, most of our users don't notice this small extra step.
When they run the setup, you need to have signed the installer using a valid certificate for the Windows warning to go away. Here I have not found any clever ways to avoid this. So you need to pay some certificate authority to create a valid certificate for your software.
Hope this answers your question.
Here is my dilemma, I am trying to perform Application Whitelisting based off of publisher which in turn is based on whether or not the application has been signed. The issue is, unsigned software does not have a publisher listed. My idea was to then vet unsigned software and if approved for use we could sign it with our internal code signing certificate. I tested this process out using Microsoft`s signtool and it seemed to work but here is the issue. When I tested it out I did it on an installer.exe, after that I installed the application in which it then created a file in Program files with the other installed .exes that came with it. When I check on the signature of the .exes that were installed in the Program Files it says that they are unsigned! I know i could go and run the same command on those to sign them but that is not feasible if we were to deploy this to numerous end systems. My question is: Is there a way to sign the installer to which when installing it, the .exes that are installed will also be signed by our internal certificate? Or is there a way to install the application and sign the necessary files and then repackage it for deployment? Sorry for the long question but I cant think of a way to get this done and I figure since Application Whitelisting is hot right now someone must have had a similar issue. Also, I know that we can use Path or Hash but that is not what I am trying to do here.
Thanks
First of all, I don't recommend signing vendor code with your corporate signature. I'm not sure if you are doing that or not but if you are, I'd suggest being careful. Unless you know exactly what's in the code, signing someone else's code is just not a good idea.
You are correct that the exes from the installer are unsigned; that's how the process works. When you sign an executable, you are only signing that exe and not the content of the cab file it extracts and lays down.
I use McAfee Application Control with signed installers, and that works out well. I trust my company's signature as an updater (allows it to change files), and it installs the software as desired without signing each executable.
So, let's go through the questions (sorry if this is long).
Is there a way to sign the installer and sign its subordinate exes? Not that I know of. Files are signed individually. You could probably automate that somehow; that's for a different thread. I'm no expert on signatures but in my experience when I've signed an installer that hasn't recursed into the installed content.
is there a way to install the application and sign the necessary files and then repackage it for deployment? Technically possible. Keep in mind that if you repackage a vendor install, you lose support on the install. There are several snapshotting tools out there that would do a delta on what was installed and would let you gather that info and then sign the files. That's an application packaging question on how to create the install from a snapshot.
I'm unclear how a driver should be signed in my specific circumstances.
OpenVPN has a tap driver that consists of tap0901.sys, tap0901.cat and OemWin2k.inf files.
When I install it using "devcon install OemWin2k.inf tap0901" on my win7 64-bit, it installs silently, without scary warnings.
I renamed the driver to have a different name ogtap100 (by renaming files to ogtap100.sys, ogtap100.cat and replacing "tap0901" strings in OemWin2k.inf to "ogtap100", as per http://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers and comments in OemWin2k.inf).
However, when I run "devcon install OemWin2k.info ogtap100" on the renamed driver, I get big scary warning from Windows that the driver comes from unknown source. It'll install but I plan to ship it as part of my app, so big scary warning is not good.
When I run "signtool verify /v ogtap100.cat", I get: "SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." even though it also says that root certificate is "Issued to: DigiCert High Assurance EV Root CA".
I've tried re-signing (signtool sign /f cert.pfx ogtap100.cat) with my own certificate (which works when signing regular .exe files) but I get the same scary warning.
What am I missing?
Can it be sth. to do with catalog (.cat) file?
I've read http://msdn.microsoft.com/en-us/windows/hardware/gg463050 but it assumes that I'll generate .cat file myself. I already have .cat file from OpenVPN. Do I have to re-generate it after renaming files and OewmWin2k.inf? If yes, how?
1) Did you ensure that you got the high assurance digicert certificate? The standard one they issue isn't meant for drivers. It is simple to change...
https://www.digicert.com/code-signing/driver-signing-in-windows-using-signtool.htm
2) If you download the Windows 7 DDK and do a little 'reading the intent and the code' as opposed to just following the instructions, you can succeed at building your own driver (cat and sys files), properly renamed and signed.
https://community.openvpn.net/openvpn/wiki/BuildingTapWindows
Look at the OemWin2k.inf generated for some strong hints for renaming. Note: The Time stamp needs to be correct, and it is in (the ridiculous) mm/dd/yyyy format.
3) As for the warning message, at least you can get it to properly display your company name, and Windows will accept (and not disable) the properly signed driver.
For details about driver signing, check out
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/0b00c9d4-dff9-4fbe-b741-768c9b39349c/practical-windows-code-and-driver-signing-discussion?forum=wdk
This is a summery that points to some reference docs. Generating the .cat file from the inf is simple.
Check out the syntax and order of operation. I'm also using a Digicert certificate. make sure you have one issued for driver signing and pay attention to the make sure the cross certificate is correct.
The build script uses the inf2cat method, so if you are following the WHOLE instructions (and searching for the stuff in the settings that the inf didn't tell you about ... look for constants) then you are generating the .cat file.
For my install, I figured that the .sys file should be signed before generating the .cat and signing it.
Also, make sure your pc has all the windows updates. This actually did work to 'fix' a pc that had the same error signature. (It didn't have the required certificate to validate the cross certificate, which it automatically downloaded.)
I try to sign my setup.exe like this:
signtool sign /a setup.exe
The signing is succeeded, verified OK, but when I start the setup, it recognises that the content changed, and it sais: "The setup is corrupted...". I tried this with two different install maker (Smart Installer, Actual Installer).
Edit: With Actual Installer, there is a sollution: "To avoid this issue, please go to General-Graphics page and uncheck 'Custom Icon' checkbox."
I had the same problem, S.I.M. seems to do some checksum not only in the compressed data, but in whole file, so it can't be signed, include the last version v5.0.4, is unable to be signed. The developers of that tool don't seems to care about it, last update year 2011, and they don't answer support communications from licensed customer asking about this topic, I thinks only the sell system works well because is automatic, seems like a project that is on auto-pilot, no humans behind.
So buying S.I.M. is to get stuck with no sign.
I have made an application for Windows & everytime I run the application by opening the executable file I get the "Publisher Unverified" warning in Windows. It is fine if I was the only audience for this app but thats not the case. Is there any way to program my app such that this message does not show up for the users.
The only way to do this is to obtain and use a code signing certificate from a trusted source. Microsoft calls this Authenticode.
Unfortunately for the little guy, these cost. Verisign sells theirs for about four hundie a year.
Here are some starting points you should read about Authenticode:
http://msdn.microsoft.com/en-us/library/ms537359(VS.85).aspx
http://technet.microsoft.com/en-us/library/cc750035.aspx
http://msdn.microsoft.com/en-us/library/aa379872(VS.85).aspx
Some certificate dealers:
http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com
For a cheaper code signing certificate, you can use Comodo. There is a reseller called KSoftware which sells their certificates for $99/yr:
http://www.ksoftware.net/code_signing.html
I used them a few years ago and had no problems.
You can then use SignTool from the .net SDK to sign your EXE files. There is a tutorial here:
http://www.tech-pro.net/code-signing-for-developers.html
I think there is a way to resolve this. We need to add digital signature to the executables. The way to add digital signatures is very nicely outlined at,
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
Basically we will use OpenSSL to create our own digital signatures and then use the SignTool application by Microsoft to add it to our executable.