Reputation: 515
signed/verified .exe gives unknown publisher
Visual Basic Express 2008, developed vb.net database app. on Win7 x64 PC.
I changed build config. manager to platform: x86, so the .exe runs on both x86 and x64 machines. Last answer here: Setting 32-bit x86 build target in Visual C# 2008 Express Edition?
Purchased MS Authenticode cert. from Symantec/Verisign, received cert, installed in browser. Exported cert. from browser to .pfx. In VS properties/signing tab, checked sign teh assembly then navigated to the .pfx.
after a build, used signtool to sign the .exe
signtool.exe sign /ac "c:\users\me\desktop\debugv6\winCert.cer" /s MY /t http://timestamp.verisign.com/scripts/timestamp.dll /n "Our Company Inc." /v c:\users\me\desktop\debugv6\db.exe
The following certificate was selected:
Issued to: Our Company Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 7/31/2014 6:59:59 PM
SHA1 hash: xxlongStringxx
Done Adding Additional Store
Attempting to sign: c:\users\me\desktop\debugv6\db.exe
Successfully signed and timestamped: c:\users\me\desktop\debugv6\db.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
then used signtool to verify
signtool.exe verify /pa /v c:\users\me\desktop\debugv6\db.exe
Verifying: c:\users\me\desktop\debugv6\db.exe
SHA1 hash of file: xxlongStringxx
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 7/16/2036 6:59:59 PM
SHA1 hash: xxlongStringxx
Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: 2/7/2020 6:59:59 PM
SHA1 hash: xxlongStringxx
Issued to: Our Company Inc.
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 7/31/2014 6:59:59 PM
SHA1 hash: xxlongStringxx
The signature is timestamped: 7/31/2013 4:18:46 PM
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: 12/31/2020 6:59:59 PM
SHA1 hash: xxlongStringxx
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: 12/30/2020 6:59:59 PM
SHA1 hash: xxlongStringxx
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: 12/29/2020 6:59:59 PM
SHA1 hash: xxlongStringxx
Successfully verified: c:\users\me\desktop\debugv6\db.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
problem
When launching the .exe from WinXP 32-bit systems I get Publisher: Our Company Inc. Great. But when launching from some Win7 x64 machines, I get publisher: Unknown.
Anyone have this prob. before?
Thanks!
Upvotes: 1
Views: 2532
Answers (1)
Reputation: 46
Short answer
VeriSign has two† paths for their current code-signing certificates. One uses the G5 as root. The other one (more compatible) uses G5 as intermediate. The solution is not only to add the secondary intermediate (as you did already) but the primary intermediate as well: Download.
Long answer
Check the certificate store on the problematic machine(s) whether you find your root (VeriSign G5), for example with Start » Execute » mmc.exe » Menu File » Add Snap-in » Certificates (Computer, Local) » Add » Trusted Third Party Certificates. If not present, I am aware of these five alternative solutions:
Alternative A (on problematic machine)
- download ‘VeriSign Class 3 Primary CA - G5’ (root)
- in Windows, double-click on it and
- at the bottom of its properties, click on ‘install certificate’
Alternative B (on problematic machine)
- download the latest ‘Update for Root Certificates’ (KB931125) which
- requires you to pass the Genuine Windows Validation
(which installs several new roots, including ‘VeriSign Class 3 Public PCA – G5’)
Alternative C (on problematic machine; only Windows XP)
- open the Windows Update-Website and
- do not choose Express but select Custom
- install all optional updates (which installs the ‘Update for Root Certificates’)
The user might have turned off automatic root certificate updates. In Windows XP, this can be controlled via Start » Control Panel » Software » Windows Components » Update Root Certificates. Or (in Windows XP, Windows Vista, and Windows 7) via mmc.exe » Menu File » Add Snap-in » Group Policy Object (Local) » Add » Local Computer Policy » Administrative Templates (optionally: Menu » Action » Add Templates » Add » system » Open » Close ») System » Internet » Internet » Turn off Automatic Root Certificate Update.
Alternative D
- as intermediate certificate, use an older ‘VeriSign Class 3 Code Signing 2010 CA’
Expires: Wed Jan 01 19:59:59 2014
SHA1 hash: 14FCF0BB187D563B568EEA5FC888A53D288698D6
(this intermediate links to ‘Class 3 Public Primary Certification Authority’ directly without G5)
Alternative E
- see the short answer. VeriSign does the same with SSL/TLS. Therefore for more details, have a look at this explanation …
† Actually there are three paths: G5 CA as root, G5 CA as intermediate, and the old 2010 CA. G5 CA as root is the problematic path.
Examples (signed according alternative E) are Adobe Reader (currently v11.0.0.5) and Apple AirPort Utility (currently v5.6.1). By the way, there a similar guides for browser plug-ins and kernel code drivers.
Upvotes: 3
Related Questions
- Application signing/verification
- How to sign installation files of a Visual Studio .msi
- Visual Studio 2008 SignTool.exe not found
- Signed exe becomes unsigned after adding project output in setup package using visual studio 2008
- Why does my signed, click-once application say it has an unknown publisher
- Unknown Publisher when signing with Verisign
- Getting rid of "The publisher could not be verified" for a SINGLE instance install - Possible?
- User gets "publisher not verified" message when downloading my installer .exe - how can I avoid this?
- How to get a trusted/verified publisher?
- Code Signing Bundled exe