12

I'm trying to create a test certificate and sign a .MSI file I have created. I need to get the test version working with a signed .MSI before we can purchase a real security certificate.

I have performed the following steps to sign my .MSI file. Everything completes successfully and it displays a message that 1 file was successfully signed after the last step. 

makecert.exe -sv c:\Test\mykey.pvk -n "CN=WTS" c:\Test\myCert.cer

cert2spc.exe c:\Test\mycert.cer c:\Test\mycert.spc

pvk2pfx -pvk c:\Test\mykey.pvk -pi password -spc c:\Test\mycert.spc -pfx c:\Test\mycert.pfx -po password

signTool sign /f c:\Test\mycert.pfx /p password /v c:\Test\test.msi

After performing these steps, I run the .MSI file (the date modified for the .MSI does change to match the time the signTool step was ran). The warning message saying this .MSI is from an unknown publisher is still displayed as is "Publisher: Unknown".

Did I miss a step or something? Everything seems to work correctly, I never see any errors, but my file doesn't appear to be signed.

Kris
  • 514
  • 3
  • 6
  • 19

3 Answers3

9

Your file is signed. Windows declares the publisher as unknown because it does not trust the publisher identification in the signature.

Remember that in the world of digital signatures, you always need to verify at least two things at once or the whole exercise is meaningless. You must check the name on the signature, and you also need to find a trust link from something that you already trust (for example, a certification authority, or a certificate manually added as trusted) up to the signature that you are checking. Only then it makes sense to trust the name on the signature, and perhaps to display it to the operating system user.

In your web browser, go to Tools / Internet Options / Content / Publishers / Certificates and add your test certificate to Trusted Publishers.

(Another browser might have the same function under Settings / Show Advanced Settings / HTTPS/SSL / Manage Certificates.)

And retry. It won't work but I don't really know why and it is an instructive game.

It is not clear whether there is a way on Windows to establish a chain of trust if your certificate is home-made and there is no certification authority to back it. This source says:

If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message. For applications deployed internally in an organization, this is an acceptable practice."

You can however create your own certification authority as described here and add the CA certificate under the Trusted Root Certification Authorities. By doing this you are basically letting any certificate issued by that CA sign anything and be trusted by Windows.

Jirka Hanika
  • 13,301
  • 3
  • 46
  • 75
  • This is a Windows, not web, installer I'm working on. Is there somewhere else I need to import my certificate to? I added it under Internet Options as you suggested and also in Certificates/Trusted People in MMC's Certificates plug in but I'm still seeing Unknown as the listed publisher. Thanks! – Kris Jun 18 '12 at 20:39
  • 2
    @Kris - Sure, I'm talking about Windows Installer. The mere fact that I'm showing you two different ways to get to the very same dialog hints that it is a Windows component independent of a particular browser. Look here for some other ways. http://technet.microsoft.com/en-us/library/cc755231(v=ws.10).aspx – Jirka Hanika Jun 18 '12 at 20:41
  • I do see my cert / publisher listed in the Trusted Publishers tab of the Certificates window but I'm still seeing the same problem. When I run the .MSI, it isn't telling me that my publisher is untrusted (like in your link) but rather telling me the publisher is "Unknown" :( Any other ideas? – Kris Jun 18 '12 at 20:59
  • @Kris - Sorry for the misleading first approximation. It seems you will need to all through the trouble of creating and trusting a home made CA. See the updated answer. – Jirka Hanika Jun 18 '12 at 21:23
  • @Kris Did you install your myCert.cer to the Trusted Publishers? You should also install this certificate to Trusted Root Certificate Authorities. Play with it. I guess Windows won't display the Publisher until the certificate is *correctly* trusted. – Alexey Ivanov Jun 19 '12 at 13:02
  • Thanks for the info about creating a certification authority and the Unknown publisher. This would work well for testing on my personal PC but I don't have access to perform all those steps on the client machines for testing. I think ultimately I will need to get a real certificate to complete my testing. – Kris Jun 19 '12 at 17:15
  • @Kris - that is correct. The last round of testing should be performed using a real certificate. However, initial learning and testing using homemade certificates is invaluable for your eventual understanding of what exactly you are buying. – Jirka Hanika Jun 19 '12 at 19:59
2

I had the same problem and found that Microsoft is no longer trust certificates with "sha 1" algorithm.

I solved the problem by asking my CA to replace the cerificate.

Yoram
  • 31
  • 2
  • 1
    This is only for certs for web use: https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx – CJBS Apr 02 '18 at 18:21
1

This can also happen if you have not used the switch "/d" to specify a description when signing the package. See more details under "sign Command Options" on this page: http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx

Bogdan Mitrache
  • 10,536
  • 19
  • 34
  • 1
    Adding the /d description when running sign tool doesn't resolve this. Thanks for the suggestion though. – Kris Jun 19 '12 at 13:50
  • 2
    No, `/d` option will only give you a friendly description of the package. You usually want to add it but it does not control trust relationship of the signature. – Alexey Ivanov Jun 19 '12 at 14:46