How to validate a digital signature?

Question

I have spent 3 days reading and testing to understand a little what the hell is all this of digital signatures and code signing, why exists and how to sign my app... (Still don't learned 100%)

Well, today I have done my own certificate and digital signature, but when I try to open the compiled application in other machine like a VirtualMachine (VBOX) with Win7 I still getting this advise from shared devices (I'll mean from network devices, you know the shared folder of the virtualmachine)

The advise says my digital signature is invalid, I don't know why!

A free digital signature can't be validated?

This is how I did my certificate from commandline:

makecert -r -pe -a sha1 -n "CN=%Name%" -b "%InitialDate%" -e "%ExpireDate%" -$ individual -sr LocalMachine -ss my -cy authority -# "%SerialNumber%" "%Name%.cer"

And this is how I signed my framework 4 application:

SignTool sign /f "%Name%.pfx" /p "%Password%" Application.exe

Also I've added my cert in the signing tab of my project, but I still get the advise screen from Windows...

Why the OS advises with that screen when I try to run my NON malicious app in other machine?

What I'm missing?

PS: I know how to bypass the advise screen setting the IE options but this is not a solution for other people.

Answer 1

It is because you are signing the code with your own non genuine certificate. Code signing certificates must be issued by a legal trusted publisher like Thawte, VeriSign, GlobalSign etc... Otherwise you need to distribute your own certificate in your own way and ask for users to import the certificate as a trusted one. Legal certificates are often distributed by Windows update automatically.