Code signing successful, used to work, but get Unknown Publisher!

[haralds]

Using the latest Setup Factory 8.0 with a Thawte certificate. I am using signtool with a PFX cert and password to sign the build, and it all works without error.
The resulting executable shows as properly signed in properties.

This all used to work beautifully, but some time this year, the "Unknown Publisher" warning came back in Vista/Windows 7, when I run the setup.

I checked out a fresh certificate, no change. We are valid through end of 2011.

Our build system is a standard Windows XP Pro SP3 VMware environment we keep updated, but otherwise the same.

What else could be happening?

[Ulrich]

You might want to try to sign a file manually, so you can see any error messages. You should also check the certificate whole chain, maybe you have an expired root certificate.

Ulrich

[haralds]

Ulrich,
I signed the apps "manually" via batch using the same command - no errors. No errors in Setup Factory logs.
Would an expired root certificate be on the Build system, or the system to install on?

How do I check the state? I just noticed using Windows Update>Custom>Optional that it could use update on the Build System. Will try that.

Thanks for your help!

[haralds]

Updating the Build system certificate and rebuilding the Setup.exe did not solve the issue.

Other ideas?

[haralds]

I get conflicting results using the interred certificate with the wizard (all fine), and with some signing options.

Where would you recommend I look for the best instructions on creating the certs etc. from downloading from Thawte, exporting the .pfx, and creating the other variants needed by signtool on the command line? I have been using openssl for that process.

I need to start fresh, it seems...

[Ulrich]

Hello,

just to clarify - when you signed the setup manually, do you get the same UAC message about an unknown publisher when executing the file?

When you inspect the file properties (right-click menu on the finished installer), and check the certificate status, what do you see? Check the certificate path as well and look for errors.

SNAG-2010-09-01-06.png

Another thing - digital signatures may fail when the signed file is larger than 300 MB. How big is your file? If it is over 300 MB, you should use MakeCat instead. See the MSDN article for further details.

Ulrich

[Darryl]

You may also want to make sure that you've updated all the correct locations in the Setup Factory GUI if the settings have changed for your signing files etc. For example, the values in preferences only affect "new" projects and will not affect your current project's settings. The place you want to make sure it's up-to-date is on the Code Signing tab of Build settings. Also make sure that your change is done for all build configurations if you have more than one.

If there were no name or directory changes in those settings, you shouldn't have any issue swapping out the files, just wanted eliminate that as a cause.

[haralds]

The issue turns out to be related to signing on 64 bit systems. MS state a requirement for the use of an additional certificate for signing kernel drivers, but it turns out to be a general requirement. Signing from 32 bit systems of Windows works fine.

I have not been able to make the MS and Thawte suggested procedure work on 64 bit system, but use a 32 bit build VM in any case...