2

ERROR: The certificate is not valid because one of the certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate

Found this error on right click of exe > Digital Signatures > Details > View Certificate

For this below steps are followed:

  1. makecert.exe -n "CN=CA123,O=Org,OU=Org,C=US" -r -pe -a sha512 -len 4096 -cy authority -sv CA123.pvk CA123.cer

  2. pvk2pfx.exe -pvk CA123.pvk -spc CA123.cer -pfx CA123.pfx -po Test123

  3. Open mmc > File > Add/Remove Snap-in > Double-click on Certificates > selected computer account > Finish > Ok > Expand Trusted Root Certification > Certificates right-click > All-tasks > import

  4. Double click on certificate file and verified trusted certificate msg

  5. inside inno setup

  6. Tools > Configure Sign Tools > Add > signtool > "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "C:\Users\Downloads\CA123.pfx" /t http://timestamp.comodoca.com/authenticode /p Test123 $f

  7. Added SignTool=signtool SignedUninstaller=yes in script

  8. executed script and exe got generated with certificate not trusted.

How can I get exe signed with trusted certificate

so that i dont receive unknown publisher error on installation

or Windows Defender SmartScreen dialog

Referred POSTS:

Inno Setup - Signing fails with "Sign Tool failed with exit code 0x1"

Inno Setup - Certificate is not trusted

Signing a Windows installer (.exe) for application created using Electron

InnoSetup - Code Signing Certificate

user123
  • 79
  • 1
  • 7
  • So do you sing your application with a certificate signed by an authority that you will manually import on the machines? Is it some internal software distributed with an organisation? – Martin Prikryl Jun 25 '19 at 13:43
  • 1
    Instead of creating your own certificate, buy one, e.g. from DigiCert. – Thomas Weller Jun 25 '19 at 13:44
  • @MartinPrikryl this software is not limited to organisation so manual import of certificates in each system is not possible. These steps I referred in above specified URLs so I followed it – user123 Jun 25 '19 at 13:55
  • 1
    The only post you link to that uses `makecert` is [Inno Setup - Certificate is not trusted](https://stackoverflow.com/q/46229765/850848), which is closed as a duplicate of [Signing installer of my program generated by Inno Setup to make it of a trusted company?](https://stackoverflow.com/q/45988806/850848) And my answer to that question clearly says that it's a wrong way. – Martin Prikryl Jun 25 '19 at 13:59
  • See also a more straightforward [Is it useless to sign my Windows application with a self signed certificate?](https://stackoverflow.com/q/54303513/850848) => Yes it is. – Martin Prikryl Jun 25 '19 at 14:00
  • 1
    It's all about trust of the certificate. And you can only get that trust from a company which was accepted to check your identity. And you pay for that service of validating your identity. https://www.digicert.com/code-signing/ – Thomas Weller Jun 25 '19 at 14:06
  • @ThomasWeller https://i.stack.imgur.com/Jtwgf.png https://i.stack.imgur.com/wmavI.jpg Above 2 are the errors I am receiving when application is installed in Win8 and Win10. So would like to confirm that taking "Code Signing" certificate from Digicert will fix above error? "EV Code Signing" certificate is not required? – user123 Jul 08 '19 at 07:16
  • EV Code signing is required for kernel drivers only. This dialog https://i.stack.imgur.com/wmavI.jpg will still appear, but in different color (blue) and with your company name instead of "Unknown". – Thomas Weller Jul 08 '19 at 07:28
  • These days [EV certificate is de-facto required even for normal software](https://security.stackexchange.com/q/222140/43677). – Martin Prikryl Oct 16 '20 at 06:20

0 Answers0