How to make publisher known in setup.exe as UAC already recognizes it?

Question

Although there are plenty of code signing and click once deployment questions out there, I could not find something that matches my scenario.

The setup.exe is signed properly, as it seems. When I execute it as an admin (to force UAC to appear), it shows publisher correctly on the pop-up window.

But when the setup takes place, then the famous "unknown publisher" appears:

My first question would be why publisher is unknown if setup.exe seems to signed:

My theory is that maybe there is something wrong with the application manifest, deployment manifest or application .exe signing.

Well, I have followed the steps in this article and added a build target istead of using the project properties sign UI:

  <Target Name="SignManifest" AfterTargets="_DeploymentSignClickOnceDeployment" Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe&quot; -Sign &quot;$(_DeploymentApplicationDir)$(_DeploymentTargetApplicationManifestFileName)&quot; -CertHash <hash> -TimeStampUri http://timestamp.comodoca.com/?td=sha256" />
<Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe&quot; -Update &quot;$(PublishDir)$(TargetDeployManifestFileName)&quot; -AppManifest &quot;$(_DeploymentApplicationDir)$(_DeploymentTargetApplicationManifestFileName)&quot;" />
<Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe&quot; -Sign &quot;$(PublishDir)$(TargetDeployManifestFileName)&quot; -CertHash <hash> -TimeStampUri http://timestamp.comodoca.com/?td=sha256" />
<Exec Command="..\..\..\Tools\signtool.exe sign /f &quot;<mypfx.pfx>&quot; /p password /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v &quot;$(PublishDir)\setup.exe&quot;" />

I also did the checks on the manifest properties recommended by this other thread, but still no results.

I have also tried to play with different signtool options, but no change.

I have also verified the signing by issuing signtool verify /v setup.exe. This is the answer (removed hashes in case this info is sensitive)

Regarding SHA1, it seems for code signing they are not deprecated. Besides, my app was signed with SHA256

I am running out of alternatives. Any ideas are very welcome!

For some reason I am still trying to figure out, I am no longer having this problem Publisher looks fine during installation. As expected, as a new certificate is used, SmartScreen complains in both setup.exe and myapp.exe. But I expect this will go away over time. No code changes from my original message. — Igor Kondrasovas, Feb 05 '21 at 13:21
Another thing I cannot explain is why in my localdev this "application install" dialog is no longer shown and the installation is started straight away. Could it be because I have the certificates in my local store? Do not know. — Igor Kondrasovas, Feb 05 '21 at 13:22

How to make publisher known in setup.exe as UAC already recognizes it?

0 Answers0