We purchased the Microsoft Authenticode certificate from Thawte. Now I have it in a PFX file. I try the following:
D:\sign>signtool sign /f ./cert/cert.pfx /p mypass /t http://timestamp.verisign.com/scripts/timstamp.dll "mySetup.exe"
Done Adding Additional Store
Successfully signed and timestamped: mySetup.exe
But when I run mySetup.exe
, it runs like unsigned, and shows "Unknown Publishier".
When I verify the EXE file with SignTool, I get following.
D:\sign>SignTool verify mySetup.exe
SignTool Error: WinVerifyTrust returned error: 0x800B010A
SignTool Error: File not valid: mySetup.exe
Number of errors: 1
What is wrong?
It may be related to the fact that Thawte uses an Intermediate Certificate for signing. They consider this to be within best practices, which I won't argue one way or the other.
From an end user standpoint, however, this can lead to complications. This is a known issue with VSTO (Visual Studio Tools for Office) solutions using ClickOnce, and may be what is affecting you here.
The solution for dealing with this is, sadly, that you will need to add the appropriate Intermediate CA's cert to all end user machines:
Resolution
The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.
Thawte provides links to the appropriate CA certs for their Intermediate Certificates
User contributions licensed under CC BY-SA 3.0