0

I am using Innosetup to create an installer and I want to sign my application so the unverified publisher message does not pop up. The software is to be installed on an embedded machine running windows 7 that is not connected to the internet. The user will download the executable from something like dropbox into a USB and take it to the embedded computer. How can I get it to not show the unverified publisher message?

My requirements are to not use a Certificate Authority such as Verisign, Symantec, Comodo etc.. and the embedded machine has no internet connection.

** It might me okay if the message shows up the very first time... but any subsequent install it should not appears.

I read up a lot of information on signing but I am confused on how to do this without internet connectivity and without CA.

Here is what I gathered:

The official way to get rid of the warning is to get ourselves verified through a CA (Certificate Authority) such as Verisign, Comodo, Symantec ... This costs money $$ and the process is extensive. We would have to provide information about the company, licenses, financial documents, .... Then the process takes 2 weeks. After that we sign our software using a private key and when the user downloads our software, I think the user has to be online the very first time. Certificates have timelimits for how long they are valid and it just sounds like a painful thing to do.

luke signh
  • 139
  • 2
  • 13
  • 4
    You don't have a choice. You have to use a certificate authority and buy a certificate. Otherwise, you get the warning. There aren't any additional options; if there were, it would defeat the entire purpose of signing applications. *Gee, I want my malware to not trigger a warning as an unverified publisher, so I'll just fake my way around it.* doesn't make much sense. – Ken White Aug 02 '17 at 02:21
  • 2
    If you are targeting a particular machine, you could create your own root certificate and get it installed on the machine in question. Also, I think the unverified publisher message only appears if you double-click the installer, and not if you run it from the command line, if that's any help. – Harry Johnston Aug 02 '17 at 04:16
  • Luke, please post your findings as an answer, to close this question. – Martin Prikryl Aug 02 '17 at 05:24
  • Use open source code signing and sign your application. :-) – GTAVLover Aug 02 '17 at 09:14
  • @MartinPrikryl let me get to a resolution first and I'll post the appropriate answer – luke signh Aug 02 '17 at 18:38
  • @GTAVLover What is "open source code signing"? – Martin Prikryl Aug 03 '17 at 04:57
  • It is for the applications those are open source. – GTAVLover Aug 03 '17 at 05:04
  • @GTAVLover Do you have any reference for that? – Martin Prikryl Aug 17 '17 at 09:03
  • @MartinPrikryl No no....No any references.....It's OK. But I cannot understand what you mean by references here. with open source code signing? – GTAVLover Aug 17 '17 at 13:12
  • I mean some documentation or any article about the "open source code signing". – Martin Prikryl Aug 17 '17 at 13:22

0 Answers0