Reputation: 2741
Why can't Windows find the issuer of my certificate?
I'm trying to code-sign my Windows app (built on a Mac with Unity) for the first time. I've used osslsigncode with my private key and a developer certificate issued by Apple (which I realize is unusual, but I don't see why it shouldn't work).
The resulting executable is clearly signed, but it still throws the scary "Unknown Publisher" warning when the user launches it. Digging into the file properties shows a signature, but says "The certificate in the signature cannot be verified". It correctly lists the issuer as "US, Apple Inc., Apple Certification Authority". But when I get details on the certificate, it says "Windows does not have enough information to verify this certificate."
Now, there are buttons at this point for "Install Certificate..." and "Issuer Statement", which I suspect would satisfy it, but of course I can't expect my end-users to do that.
So, what exactly is missing here? Are there only certain CAs that will work with out complaint, and if so, where can I find that list? Or is there something else missing in my app?
Note: if more details are needed, screenshots of all the certificate dialogs are posted here.
Upvotes: 1
Views: 23332
Answers (1)
Reputation: 41137
It lists US, Apple Inc., Apple Certification Authority which is the CA (Certificate Authority - which is also represented by a certificate) that was used to sign the certificate, or better to issue the certificate, because that info is in the certificate itself.
You can see the CA as a parent of your certificate.
Now, the reason why Windows can't verify your certificate is because it doesn't know anything about the cert's parent CA.
To change that you have to import the parent CA into Windows as well, and if the CA has a parent as well, import that too and so on, until you reach a CA that is self signed (it doesn't have parent, or it's its own parent), that one is called the ROOT CA.
The list of CAs starting with the ROOT CA and ending with your certificate is called a certificate chain. After you import the whole certificate chain, Windows will no longer complain, and in the "Certificate' window, selecting the "Certificate path" tab, you'll see the whole certificate chain in a tree-like structure starting with the ROOT CA, and ending with your certificate (which now it's the only one displayed there), where each certificate is listed under its parent.
Upvotes: 2
Related Questions
- issue with certificate
- Windows 8 Certificate Warning: We can't verify who created this file
- Windows report "Unknown publisher" of signed application
- Windows 7 SHA 256 code signing certificate doesn't save "trust this publisher"
- Why my certificate can't be used for PowerShell code signing?
- “Unknown Publisher” strange certificate issue
- signtool fails to find certificate on Windows 10, due to private key filter
- VeriSign Class 3 certificate not trusted by Windows?
- Invalid Digital Certificate
- certificate issues c#