Reputation: 1499
Signed ClickOnce still giving security error and won't install
SO, I'm trying to distribute a small C# app (VS 2022) internally, to a few employees within our company. I checked "Sign the ClickOnce manifests" and am using a code signing cert that I bought from Sectigo via SignMyCode. But when I try to run the published installer I still get the error saying that the administrator has blocked this application since it could constitute a security risk, and it refuses to let me install it or override in any way. It displays the publisher correctly, as it appears in the cert and if I click that the certificate looks as I expect.
What do I need to do to have Windows 10 and 11 accept installation of this app?
The computers are running Windows Pro and are AzureAd connected to our Microsoft 365 AzureAD.
EDIT 2022-12-15 10:00 CET:
Found the tool SignTool and tried it on the setup.exe using command and options verify /v /debug. It gives this output:
Verifying: setup.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 24376988F001B127559B6EFABADBA48F6F503B6E7EC2E4DC7F0C5A2208EA8DF9
Signing Certificate Chain:
Issued to: USERTrust RSA Certification Authority
Issued by: USERTrust RSA Certification Authority
Expires: Tue Jan 19 00:59:59 2038
SHA1 hash: 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Issued to: Certera Code Signing CA
Issued by: USERTrust RSA Certification Authority
Expires: Tue Sep 07 00:59:59 2032
SHA1 hash: 4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283
Issued to: Marknadsinformation i Sverige AB
Issued by: Certera Code Signing CA
Expires: Sat Dec 06 00:59:59 2025
SHA1 hash: 8BA2CC9C21B1B8145ACDA1E077928034426DA43B
File is not timestamped.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
So it appears that either the root cert or the intermediate cert is not trusted?
I did not include the cert chain in my .pfx file, so maybe I should try that for starters.
Apart from that, I'll research how to add the root cert as trusted to my and my coworkers' machines. Pointers welcome of course.
I also note that apparently the signature has no timestamp. How do I get VS to timestamp the signature during publish?
EDIT 2022-12-15 11:30 CET:
OK, so I added the cert chain to the PFX file and also installed the root cert, the intermediate cert and my own cert into my machine's cert store, my account, putting the root cert in "Trusted root certificates", the intermediate one in "Intermediate certificate authorities" and my own cert in "Trusted publishers". That did the trick. Will investigate the easiest way to perform this on my co-workers' machines.
At this stage I can only say that the error messages and docs could have been more helpful... Not the easiest things to research using Google either...
Upvotes: 1
Views: 636
Answers (1)
Reputation: 23
I doubt your .exe is not properly signed with your certificate ,do you see "Digital Signature" tab in properties window of your Exe ?
Here's the synatax to sign binary with timestamp using signtool.exe: signtool sign /f .pdx /p password /d description /tr http://timestamp.digicert.com .exe
build server friendly way to sign a binary is to compile the .net project without .pfx file , use Openssl to extract .pfx from your certificate and follow the step mentioned above.
Upvotes: 1
Related Questions
- ClickOnce installations
- SignTool Error: WinVerifyTrust returned error: 0x80096019
- Self-signed certificate - unable to open certificate
- Getting An error occurred while signing: Failed to sign file.exe. SignTool Error: No certificates were found that met all the given criteria
- Signed ClickOnce app gives "Publisher could not be verified"
- Clickonce installation fails to download
- ClickOnce Application Install - Security Warning
- ClickOnce Publish Signtool Error
- ClickOnce certificate expired - not signing manifest
- ClickOnce certificates no longer work, but not expired