4

I have published a basic unsigned windows form application using ClickOnce on Visual Studio. I took the .exe file and .exe.config file and moved it to a folder on my desktop. I signed the .exe file with a legitimate digiCert signing tool, and I created the application manifest and deployment manifest using MageUI and signed it with the same signing tool. I moved all the files to the FTP server that I want the users to download from. When I enter the URL in the browser everything works fine, but it prompts me to Install, and it says that the Publisher is Unknown. After I click install, the app runs as it should.

Also, I have already added my certificate to the Trusted Publisher store, and verified that the issuer of my certificate is in the Intermediate Certification Authority store, and their issuer is in the Root Certification Authority Store.

I have also opened the deployment and application manifest using notepad, and can see my signature on them, and I can see that my .exe file is signed by right clicking on it and selecting properties, then the signature tab.

I have followed the Steps outlined in this site: https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/

I used the : "#1: Signing the application executable post-publish." steps.

So my main question is why is it saying that the publisher is Unknown when I download and run the .application file?

Note: that the SmartScreen filter is not picking up my app as being unsafe

User1111
  • 41
  • 2

2 Answers2

1

I have (sadly) the same problem.

Microsoft doesn't accept anymore the SHA-1 certificate since 1. january 2016: Windows Enforcement of Autheticode:

Code Signing Certificates: Windows will no longer trust files with the Mark of the Web attribute that are signed with a SHA-1 code signing certificate and are timestamped after 1/1/2016. With the exception of issuing certificates to developers who intend to develop only applications for Windows Vista, Windows Server 2008, CAs may not issue new SHA-1 code signing certificates after January 1, 2016.

I tried to sign with a SHA256 hash and with a SHA2 timestamp certificate but this is not enough. What I can't understand is why an unsigned exe is threated as more secure as a signed SHA1 exe in smartscreen!

Adriano
  • 1,743
  • 15
  • 28
0

The other answer tells you what's going on, and here's what's working for me. I pivoted another's work for my CI pipeline, but the script can be used in any capacity:

https://github.com/erikest/SignClickOnce

Erikest
  • 4,997
  • 2
  • 25
  • 37
  • 1
    Did you verified that the publisher is being reflected correctly when you check through VS project properties: Publish-Options-Description-Publisher name. I remember changing this value for similar issue once before... – OmGanesh Dec 16 '18 at 23:18