How to make computer (or user) trust signed software

windows-7 security certificate group-policy digital-signature
5,034

Besides adding them to the local store at 'Trusted Publishers' and 'Trusted Root Certification Authorities', you have to edit the Group Policy, either locally or on the domain level to allow trusting.

For SCUP/WSUS updates using a code signing cert I used a GPO to "Allow signed updates from an intranet Microsoft update service location" under /Administrative Templates/Windows Components/Windows Update.

For Application installs it's going to be in a different place. Looks like it might be Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings.

Take a look at: http://technet.microsoft.com/en-us/library/cc733026.aspx

Share:
5,034

Related videos on Youtube

jmodrak
Author by

jmodrak

Curious solution-finder and ultimately a problem-solver. Spending most of my time in C# with full Microsoft stack applied to build solutions. Most enjoying IIS hosted WCF services, server-side coding, good designs and efficient code. Currently working in Prague.

Updated on September 18, 2022

Comments

  • jmodrak
    jmodrak over 1 year

    I have an application, which I sign and timestamp using a code-signing certificate issued by thawte, with intermediate authority Thawte code signing CA - G2.

    The signature is OK (as it shows in file properties) and you can view the certification chain, so that is all okay.

    On most PCs, the user just clicks on the .exe file and it runs, but on Windows 7 with default settings, the "Open File - Security Warning" pops up EVERY TIME. It shows that it is signed, that the publisher is our company, and the user can verify that. This is not what we want. We want the user to double-click the file and go. I added our certificate to the "trusted publishers" in certmgr, and then I added our certificate to the "trusted root certification authorities". I think I tried all combinations, that made sense to me. Still I am not getting the desired result.

    I used Google a lot and I spent almost 2 days fiddling around with it, with no progress at all. How can I sign another file, send it to the computer, run it the same, convenient way as if it was developed and released by Microsoft or another big company?

    I need a general solution for all OS of Windows family Vista and newer.

    P.S. I do not want to unblock files, do registry hacks, or security level adjustments. I think I am missing something around where to install the certificates. If needed, please feel free to ask for code or settings, and I will gladly provide them.

    • Ramhound
      Ramhound over 9 years
      You tried to add the cert to the store or you did add the cert to the store?
    • jmodrak
      jmodrak over 9 years
      I added the cert to the store, but have not tried all options, have not tried Enterprise trust, have not tried all basically, so maybe I just need a hint which store is the correct one.
    • lzam
      lzam over 9 years
      Which version of Windows are you running on these "Most PCs" you speak of. Also, can you post a screenshot (or link to one) of the exact message you are seeing?
    • int_541
      int_541 over 9 years
      Does the application require administrative permissions? If so, there really isn't anything else you can do if you are seriously wanting to avoid editing User Account Control settings or making users Local Admins short of creating a scheduled task and a shortcut to launch said task
  • jmodrak
    jmodrak over 9 years
    Yes, editing the GPO was the missing thing. I have done that in the meanwhile, but forgot to mention here. The more provided info only helps, will not make same mistake again. Kudos!
  • Michael
    Michael over 9 years
    Glad it worked out, hate that the advance stuff like this isn't documented in an easy to find way, just buried in white papers on page 53 for someone with plenty of time to find.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 7 Cached Credentials - No Logon Server. Can't Log In
Securing Remote Desktop Connections With SSL Certificate From a Trusted Certificate Authority
How to copy local group policy objects from one machine to another?
How can I import a security template in Windows 7 using command line?
How can I limit other (administrator) users access to my profile?
Trusted Root certificates regularly disappear on Windows 7
How do I deploy an internal certificate authority?
Locking and Terminating User Sessions via Group Policy settings
When multiple Encrypting File System certificates are installed, which one is used for encryption?
Group Policy: Block access to \\localhost\C$