Reputation: 41
ClickOnce: Unknown Publisher shown in the Installer, when the app is already signed
I have published a basic unsigned windows form application using ClickOnce on Visual Studio. I took the .exe file and .exe.config file and moved it to a folder on my desktop. I signed the .exe file with a legitimate digiCert signing tool, and I created the application manifest and deployment manifest using MageUI and signed it with the same signing tool. I moved all the files to the FTP server that I want the users to download from. When I enter the URL in the browser everything works fine, but it prompts me to Install, and it says that the Publisher is Unknown. After I click install, the app runs as it should.
Also, I have already added my certificate to the Trusted Publisher store, and verified that the issuer of my certificate is in the Intermediate Certification Authority store, and their issuer is in the Root Certification Authority Store.
I have also opened the deployment and application manifest using notepad, and can see my signature on them, and I can see that my .exe file is signed by right clicking on it and selecting properties, then the signature tab.
I have followed the Steps outlined in this site: https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/
I used the : "#1: Signing the application executable post-publish." steps.
So my main question is why is it saying that the publisher is Unknown when I download and run the .application file?
Note: that the SmartScreen filter is not picking up my app as being unsafe
Upvotes: 4
Views: 2115
Answers (2)
Reputation: 5097
The other answer tells you what's going on, and here's what's working for me. I pivoted another's work for my CI pipeline, but the script can be used in any capacity:
https://github.com/erikest/SignClickOnce
Upvotes: 0
Reputation: 1862
I have (sadly) the same problem.
Microsoft doesn't accept anymore the SHA-1 certificate since 1. january 2016: Windows Enforcement of Autheticode:
Code Signing Certificates: Windows will no longer trust files with the Mark of the Web attribute that are signed with a SHA-1 code signing certificate and are timestamped after 1/1/2016. With the exception of issuing certificates to developers who intend to develop only applications for Windows Vista, Windows Server 2008, CAs may not issue new SHA-1 code signing certificates after January 1, 2016.
I tried to sign with a SHA256 hash and with a SHA2 timestamp certificate but this is not enough. What I can't understand is why an unsigned exe is threated as more secure as a signed SHA1 exe in smartscreen!
Upvotes: 1
Related Questions
- Signing clickonce using Sectigo SHA384 EV certificate give unknown publisher and smartscreen blocker
- Signed VSTO Deployed with ClickOnce Showing "Unknown Publisher"
- How to Authenticode sign ClickOnce deployment with an EV SHA2 cert and avoid "Unknown Publisher"
- Signed ClickOnce app throwing 'Unknown Publisher' with Windows 10
- Clickonce app is signed but publisher is still unknown when downloading
- ClickOnce application signed with purchased CA shows "Unknown Publisher"
- Clickonce signed application fails with "has a different computed hash than specified in manifest". Mage fails to resolve issue
- ClickOnce de-signs our executable and says "Unknown Publisher"