I've digitally signed my exe with a StartCom code signing cert.
However, when I download it, the first couple of times I try to run the exe on a clean Win7 box, I see an "unknown" publisher. After a while, when I try to run the same exe, I see my publisher details correctly.
Any idea what's going on here and how to resolve it?
Related
I want to sign a static .exe build of one of my Open Source programs so that it will be executable in a "normal" manner to a "normal" Windows user.
I bought an Open Source Code Signing Certificate from certum.eu to be able to do this.
After some searching on the internet, I tried to sign the exe file using osslsigncode 1.7.1 on my Linux maching using
osslsigncode sign -pkcs12 cert.p12 -pass "..." -h sha2 -t http://timestamp.verisign.com/scripts/timstamp.dll -in some.exe -out some-signed.exe
Having somebody testing it on Windows 10, a rough warning pops up: "Windows protected your PC. Windows SmartScreen prevented an unrecognized app
from starting. Running this app might put your PC at risk."
So I tried to use the native Windows tool signtool.exe to sign it. I installed it in my old virtual Windows XP (where I also compiled the program; I don't have access to any other Windows machine) and signed the exe file with
"C:\Programme\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign /f C:\cert.p12 /p "..." /t http://timestamp.verisign.com/scripts/timstamp.dll C:\some.exe
This tool also said everything was okay, but still, the very same warning pops up.
This way, the certificate is simply useless, as the "signed" exe file does produce the very same warning as the unsigned one. I would greatly appreciate help about this.
Short answer: Wait a couple of days and the problem will disappear.
I had the same issue with my Certum certificate earlier this year. And a few years ago, I had a commercial certificate I got from Comodo and it initially had the same issue as well.
The bottom line is that your new certificate and signed binaries needs some time to gain trust and auto-verified by Microsoft's code-signing reputation service.
Start distributing your signed exe to as many PC as you can and do the "advanced" option to force the exe to run anyway. That might help bump the reputation up faster.
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
I have compiled a VB6 app and I digitally sign it after compilation using a batch file containing this command:
signtool sign /f apt.pfx /p MyPassword d:\upload\service_pack_UK_BETA.exe
If I right-click the EXE I can see the digital signature in the file Properties. However if people download the file and try to run it in Windows 8 they get the message in SmartScreen that it's from an Unknown Publisher.
I have read articles such as this one http://social.msdn.microsoft.com/Forums/windows/en-US/00813d25-d258-40d8-b03a-c4468959f311/smartscreen-shows-unknown-publisher-even-though-signed-correctly-using-a-trusted-certificate?forum=winformssetup but the solution they recommend can't be achieved in VB6.
How can I sign the EXE so that SmartScreen will accept it?
See http://blogs.msdn.com/b/vsnetsetup/archive/2013/01/09/windows-smartscreen-prevented-an-unrecognized-app-from-running-running-this-app-might-put-your-pc-at-risk.aspx, specifically the last two sentences of the post
Once this is done, the SmartScreen will continue to warn about the application
until the certificate develops a reputation. But it would display a valid
publisher name instead of unknown publisher.
SmartScreen in Windows 8 maintains a list of valid and trusted publisher certificates (as well as whether the signed files are commonly encountered). When it encounters a new publisher certificate, even when the certificate chain is good and trusted, it won't be added to the list of trusted publishers until enough hits warrant it, what Microsoft calls SmartScreen Application Reputation.
Sources:
http://ie.microsoft.com/testdrive/Browser/DownloadReputation/?o=1
http://blogs.msdn.com/b/ie/archive/2011/03/22/smartscreen-174-application-reputation-building-reputation.aspx
http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx (mentions SmartScreen Application Reputation)
I have acquired and deployed a digital code signing certificate. I have added it to the installation program for a Windows application, signing the InstallShield setup.exe file and the msi file. Everything works perfectly in the installation program.
My application is installed as a single exe file along with a complied html help file.
Is the best practice to digitally sign the exe file in addition to the Windows installation program?
Yes. You should sign the executable as well.
You should also ensure you use a time-stamp server if possible when signing too. Thus users of your application know the code came from a valid source, and the certificate was valid when it was signed. (The time-stamping means users can check the signing is valid after the expiry date of your certificate - i.e. the signature will be valid for all time.)
I have a setup executable which I have signed with a Verisign cert. The executable displays the correct publisher information during installation with XP and Win7, but on Vista it displays it as "Unidentified Publisher". I've checked each and every individual file that gets put into the msi and the executable manually using the Properties menu to verify that those files are signed, and they are indeed signed with a signer and timestamp BUT not an email. (Is there a tool that does this?).
If I run the msi contained inside the executable, and cancel the installation before it is complete. Then when I run the SAME setup executable that was complaining about Unidentified Publisher again, it displays the correct publisher information.
Does anyone have a suggestion on how I may solve this problem? I am aware of the bug with windows installer on Vista for uninstalls, but this is an install.
What tool are you using to sign the package, is is SignTool.exe? If so, are you getting the certificate from a path specified on your machine or you've specified for SingTool.exe to get it from the store.
The recommended method is to import the certificate in the store and then ask for SignTool to use it from there.
This problem appeared for me only if the SignTool.exe used was from Windows SDK v.7.0 or later.