what are all the necessary steps to deploy a trusted activex control built with managed code

Question

i have an activex that was built with c#. as part of the build process, the cab file is signed with a commercial code signing certificate.

when it is downloaded and installed we run into multiple issues:

• the site that it is downloaded from needs to be in the trusted sites list
• the control will show up in IE with the phrase (not verified) next to the company name
• ie will popup a warning about unsafe scripting
• the version number in ie manage addons is for a microsoft component and not for our control, while the version number in programs and features is our version number.

its not clear what circumstances trigger it, but we will sometimes get the noname control from unknown publisher message when ie wants to update the control.

exhaustive reseach indicates that everyone has an opinion about this and no two of them are the same. so where does one get the official guide to deploying managed activex controls that are signed?

• for example, do all the dll's in the cab file need to be signed in addition to the .cab?
• when you do sign the dll's why does building the cab strip the signature off?
• why would a commercial code signing certificate with a trusted root still end up as unverified publisher?

Answer 1

Each individual dll, exe,ocx must be signed using the signtool.exe or other mechanism. I've never heard of the signing getting stripped off by placing them in the cab. I'm guessing you may be using the output of a build that has not yet been signed to build the cab ? I have some potentially useful ramblings on my code signing experiences at: http://www.menasoft.com/blog/?p=223