1

I build and sign an MSI (using WiX). If I copy it to my Win8 machine, it works perfectly. If I gmail it then download it on the Win8 machine, I get "Windows protected your PC" - "Run anyway" or "Don't run". This is my main question for which I cannot find answers: How does it know whether this came from a copy or it's downloaded.

I am investigating this because when I sign with a timestamp server, this popup (only when downloaded from gmail) is actually saying unknown publisher even though everywhere else things look couth.

Johannes Kuhn
  • 14,778
  • 4
  • 49
  • 73
Devin Dow
  • 71
  • 1
  • 3

2 Answers2

1

Simple: It uses Alternate Data Streams (ADS), in particular an ADS called Zone.Identifier

For more info, see this.

Johannes Kuhn
  • 14,778
  • 4
  • 49
  • 73
0

If you are getting "Unknown Publisher", your package is likely not signed or the signature is not trusted. The verification only happens for packages downloaded from the internet, so the fact it does not prompt you otherwise is not indicative of a successful signature.

The detection of whether the package is downloaded from the internet happens via the Mark-of-the-web, which, as @JohannesKuhn pointed out, is implemented with an alternate stream named Zone.Identifier.

See this msdn blog for more information about MSI signing

Mitch
  • 21,223
  • 6
  • 63
  • 86