Publisher Unknown after successfully running signTool
Solution 1
Your file is signed. Windows declares the publisher as unknown because it does not trust the publisher identification in the signature.
Remember that in the world of digital signatures, you always need to verify at least two things at once or the whole exercise is meaningless. You must check the name on the signature, and you also need to find a trust link from something that you already trust (for example, a certification authority, or a certificate manually added as trusted) up to the signature that you are checking. Only then it makes sense to trust the name on the signature, and perhaps to display it to the operating system user.
In your web browser, go to Tools / Internet Options / Content / Publishers / Certificates and add your test certificate to Trusted Publishers.
(Another browser might have the same function under Settings / Show Advanced Settings / HTTPS/SSL / Manage Certificates.)
And retry. It won't work but I don't really know why and it is an instructive game.
It is not clear whether there is a way on Windows to establish a chain of trust if your certificate is home-made and there is no certification authority to back it. This source says:
If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."
You can however create your own certification authority as described here and add the CA certificate under the Trusted Root Certification Authorities. By doing this you are basically letting any certificate issued by that CA sign anything and be trusted by Windows.
Solution 2
I had the same problem and found that Microsoft is no longer trust certificates with "sha 1" algorithm.
I solved the problem by asking my CA to replace the cerificate.
Solution 3
This can also happen if you have not used the switch "/d" to specify a description when signing the package. See more details under "sign Command Options" on this page: http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx
Comments
-
Kris almost 2 years
I'm trying to create a test certificate and sign a .MSI file I have created. I need to get the test version working with a signed .MSI before we can purchase a real security certificate.
I have performed the following steps to sign my .MSI file. Everything completes successfully and it displays a message that 1 file was successfully signed after the last step.
makecert.exe -sv c:\Test\mykey.pvk -n "CN=WTS" c:\Test\myCert.cer cert2spc.exe c:\Test\mycert.cer c:\Test\mycert.spc pvk2pfx -pvk c:\Test\mykey.pvk -pi password -spc c:\Test\mycert.spc -pfx c:\Test\mycert.pfx -po password signTool sign /f c:\Test\mycert.pfx /p password /v c:\Test\test.msiAfter performing these steps, I run the .MSI file (the date modified for the .MSI does change to match the time the signTool step was ran). The warning message saying this .MSI is from an unknown publisher is still displayed as is "Publisher: Unknown".
Did I miss a step or something? Everything seems to work correctly, I never see any errors, but my file doesn't appear to be signed.
-
Kris almost 12 yearsThis is a Windows, not web, installer I'm working on. Is there somewhere else I need to import my certificate to? I added it under Internet Options as you suggested and also in Certificates/Trusted People in MMC's Certificates plug in but I'm still seeing Unknown as the listed publisher. Thanks!
-
Jirka Hanika almost 12 years@Kris - Sure, I'm talking about Windows Installer. The mere fact that I'm showing you two different ways to get to the very same dialog hints that it is a Windows component independent of a particular browser. Look here for some other ways. technet.microsoft.com/en-us/library/cc755231(v=ws.10).aspx
-
Kris almost 12 yearsI do see my cert / publisher listed in the Trusted Publishers tab of the Certificates window but I'm still seeing the same problem. When I run the .MSI, it isn't telling me that my publisher is untrusted (like in your link) but rather telling me the publisher is "Unknown" :( Any other ideas?
-
Jirka Hanika almost 12 years@Kris - Sorry for the misleading first approximation. It seems you will need to all through the trouble of creating and trusting a home made CA. See the updated answer.
-
Alexey Ivanov almost 12 years@Kris Did you install your myCert.cer to the Trusted Publishers? You should also install this certificate to Trusted Root Certificate Authorities. Play with it. I guess Windows won't display the Publisher until the certificate is correctly trusted. -
Kris almost 12 yearsAdding the /d description when running sign tool doesn't resolve this. Thanks for the suggestion though.
-
Alexey Ivanov almost 12 yearsNo,
/doption will only give you a friendly description of the package. You usually want to add it but it does not control trust relationship of the signature. -
Kris almost 12 yearsThanks for the info about creating a certification authority and the Unknown publisher. This would work well for testing on my personal PC but I don't have access to perform all those steps on the client machines for testing. I think ultimately I will need to get a real certificate to complete my testing.
-
Jirka Hanika almost 12 years@Kris - that is correct. The last round of testing should be performed using a real certificate. However, initial learning and testing using homemade certificates is invaluable for your eventual understanding of what exactly you are buying.
-
CJBS about 6 yearsThis is only for certs for web use: social.technet.microsoft.com/wiki/contents/articles/…
