locked
SmartScreen shows "Unknown Publisher" even though signed correctly using a trusted certificate. RRS feed

  • Question

  • We are developing a .NET 4.0 application deployed with ClickOnce where customers download it from our web site. The deployment has been signed with our recently purchased Authenticode certificate.

    (The product is still in development and I cannot give you the actual install here on a public forum).

    When installing the application on Windows 8 SmartScreen throws blocks the install (I understand we need to build more reputation), but then clicking "More Info" the publisher name is shown as "Unknown Publisher", see below.

    Please advise as it seems something is wrong and we fear despite having following all the requirements our product will never be trusted by SmartScreen.

    This is despite the ClickOnce Installer and everything else recognising the publisher correctly:



    • Edited by markmnl Thursday, June 26, 2014 2:32 AM
    Thursday, June 26, 2014 2:20 AM

Answers

  • Hello markmnl,

    There is already a good article which is written by Robin about your issue, see the following thread:

    http://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/

    Check the following steps: (The forum does not support so many images, please navigate to that blog to see details, I copied Robin's words just want to make this post clear.)

    "

    Is there a way to circumvent your ClickOnce application being captured and stopped by the Smart Screen Filter? Yes. Otherwise, this would be a much shorter (and depressing) article. All you have to do is sign the application executable after building it and before deploying it. For this, you need your signing certificate and signtool.exe, which is one of the .NET Framework tools. There are three points in the build/publish process at which you can do this:

    1. Post-publish

    2. Post-build

    3. Pre-publish

    #1: Signing the application executable post-publish

    To do it post-publish, you have to do the following:

    • a. Publish the files to a local directory.
    • b. Use signtool to sign the exe for the application.
    • c. Use mage or mageUI to re-sign the application manifest (.exe.manifest).
    • d. Use mage or mageUI to re-sign the deployment manifest (.application).
    • e. Copy the files to the deployment location.

    If you’ve already automated your deployment with a script and msbuild, this may be the choice you make. If you publish directly from Visual Studio, the other two options are easier.

    #2: Signing the application executable post-build

    To do this, you define a post-build command in your project. Assuming your certificate (pfx file) is in the top level of your project, you can use something like this:

    "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p nightbird /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

    • The double quotes are required.
    • “C:Program Files (x86)Microsoft SDKsWindows\v7.0A\bin\signtool.exe” is the path to the signtool application, used to sign the executable.
    • $(ProjectDir) points to the top directory of the project. The subfolder “\obj\x86” will vary depending on your build output path. The above was created and tested on VS2010. On VS2012, my subfolder is just \obj.
    • $(ConfigurationName) is the build configuration name, such as Debug or Release – this is required because it signs it in the obj directory and has to know which folder to use.
    • $(TargetFileName) is the name of the application executable.
    • TestWin8CO_TemporaryKey.pfx is the name of my certificate file, which is in the top folder of my project.
    • /p nightbird – this is the password for my temporary certificate

    I have specified the full path to signtool.exe. I tried to do this with one of the msbuild variables that points to the location of the .NET framework files, but it doesn’t work – it doesn’t translate the variable until after it executes the statement. If you print it out in the post-build command, it shows the right location in the Visual Studio output window, but gives you an error that it can’t find it when it actually runs this statement. I’m saving you some time here, because I messed around with that for quite a while trying to get it to work, and after asking Saurabh at Microsoft, he couldn’t get it to work without specifying the whole path, either. So if you get it to work with a msbuild variable, let me know how.

    After you’ve created your version of the post-build command, you need to put it in the project properties. Double-click on Properties and click on the Build Events tab. Put your command in the Post-build event command line box.

    Now build the project, and the output window will show the results.

    If you now publish the application and put the files in the deployment directory, the user can install it and will not see the Smart Screen Filter. Yay!

    What if you have multiple programmers working on the application, and they all build and run the application? Every programmer must have signtool.exe in the exact same location for this post-build command to work for everybody. If you have a 32-bit machine, the folder for the “Microsoft SDKs” is under “C:Program Files”, without the “(x86)” on the end. And someone might actually install Windows to a drive other than C. If their signtool.exe file is not in the same location, they can’t build and run the application, which means they can’t put in changes and test them.

    Only the person publishing the application really needs this build command to work. So how do you execute this only for the person publishing the application? You can set up a pre-publish command.

    #3: Signing the application executable pre-publish (recommended solution)

    The pre-publish command is executed after building the application and right before publishing it. There is no box for this under Build Events, so you have to add it to the project yourself. (Be sure to clear out the post-build event command line before doing this.)

    To add a pre-publish command, right-click on the project in Visual Studio and select “Unload Project”.

    Now right-click on the project again and select “Edit yourprojectname.csproj”.

    It will open the csproj file in Visual Studio so you can edit it. Go down to the bottom and add a new section before the </Project> line. You’re going to put your pre-publish command line in this section.

    <Target Name=”BeforePublish”>

    </Target>

    So what do you put in this section? You are going to specify a command to execute, so you have to use Exec Command, and put the command to execute in double quotes. Since you can’t put double-quotes inside of double-quotes (at least, not if you want it to work), you need to change the double-quotes in your command to &quot; instead. So my build command from above now looks like this:

    <Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe&quot; sign /f &quot;$(ProjectDir)TestWin8CO_TemporaryKey.pfx&quot; /p nightbird /v &quot;$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)&quot;" />

    After making this match your parameters, save the csproj file and then close it. Then right-click on the project and reload it:

    Now if you build your project, you won’t see anything about signing the application executable in the output window. It will only do it if you publish, and there won’t be logging letting you know it signed it. How do you know if it worked? Go to the folder you published to, and look in the Application Files folder. Locate the application executable in the folder for the new version. Right-click on it, choose properties. Look for a tab called “Digital Signatures”. If it’s not found, it’s not signed. If you do see it, go to that tab; it will show the signature list and the signer of the certificate. You can double-click on the signer and then view the signing certificate.

    "

    Regards,



    Barry Wang
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by markmnl Friday, June 27, 2014 2:29 AM
    Friday, June 27, 2014 2:24 AM

All replies

  • Hello markmnl,

    There is already a good article which is written by Robin about your issue, see the following thread:

    http://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/

    Check the following steps: (The forum does not support so many images, please navigate to that blog to see details, I copied Robin's words just want to make this post clear.)

    "

    Is there a way to circumvent your ClickOnce application being captured and stopped by the Smart Screen Filter? Yes. Otherwise, this would be a much shorter (and depressing) article. All you have to do is sign the application executable after building it and before deploying it. For this, you need your signing certificate and signtool.exe, which is one of the .NET Framework tools. There are three points in the build/publish process at which you can do this:

    1. Post-publish

    2. Post-build

    3. Pre-publish

    #1: Signing the application executable post-publish

    To do it post-publish, you have to do the following:

    • a. Publish the files to a local directory.
    • b. Use signtool to sign the exe for the application.
    • c. Use mage or mageUI to re-sign the application manifest (.exe.manifest).
    • d. Use mage or mageUI to re-sign the deployment manifest (.application).
    • e. Copy the files to the deployment location.

    If you’ve already automated your deployment with a script and msbuild, this may be the choice you make. If you publish directly from Visual Studio, the other two options are easier.

    #2: Signing the application executable post-build

    To do this, you define a post-build command in your project. Assuming your certificate (pfx file) is in the top level of your project, you can use something like this:

    "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p nightbird /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

    • The double quotes are required.
    • “C:Program Files (x86)Microsoft SDKsWindows\v7.0A\bin\signtool.exe” is the path to the signtool application, used to sign the executable.
    • $(ProjectDir) points to the top directory of the project. The subfolder “\obj\x86” will vary depending on your build output path. The above was created and tested on VS2010. On VS2012, my subfolder is just \obj.
    • $(ConfigurationName) is the build configuration name, such as Debug or Release – this is required because it signs it in the obj directory and has to know which folder to use.
    • $(TargetFileName) is the name of the application executable.
    • TestWin8CO_TemporaryKey.pfx is the name of my certificate file, which is in the top folder of my project.
    • /p nightbird – this is the password for my temporary certificate

    I have specified the full path to signtool.exe. I tried to do this with one of the msbuild variables that points to the location of the .NET framework files, but it doesn’t work – it doesn’t translate the variable until after it executes the statement. If you print it out in the post-build command, it shows the right location in the Visual Studio output window, but gives you an error that it can’t find it when it actually runs this statement. I’m saving you some time here, because I messed around with that for quite a while trying to get it to work, and after asking Saurabh at Microsoft, he couldn’t get it to work without specifying the whole path, either. So if you get it to work with a msbuild variable, let me know how.

    After you’ve created your version of the post-build command, you need to put it in the project properties. Double-click on Properties and click on the Build Events tab. Put your command in the Post-build event command line box.

    Now build the project, and the output window will show the results.

    If you now publish the application and put the files in the deployment directory, the user can install it and will not see the Smart Screen Filter. Yay!

    What if you have multiple programmers working on the application, and they all build and run the application? Every programmer must have signtool.exe in the exact same location for this post-build command to work for everybody. If you have a 32-bit machine, the folder for the “Microsoft SDKs” is under “C:Program Files”, without the “(x86)” on the end. And someone might actually install Windows to a drive other than C. If their signtool.exe file is not in the same location, they can’t build and run the application, which means they can’t put in changes and test them.

    Only the person publishing the application really needs this build command to work. So how do you execute this only for the person publishing the application? You can set up a pre-publish command.

    #3: Signing the application executable pre-publish (recommended solution)

    The pre-publish command is executed after building the application and right before publishing it. There is no box for this under Build Events, so you have to add it to the project yourself. (Be sure to clear out the post-build event command line before doing this.)

    To add a pre-publish command, right-click on the project in Visual Studio and select “Unload Project”.

    Now right-click on the project again and select “Edit yourprojectname.csproj”.

    It will open the csproj file in Visual Studio so you can edit it. Go down to the bottom and add a new section before the </Project> line. You’re going to put your pre-publish command line in this section.

    <Target Name=”BeforePublish”>

    </Target>

    So what do you put in this section? You are going to specify a command to execute, so you have to use Exec Command, and put the command to execute in double quotes. Since you can’t put double-quotes inside of double-quotes (at least, not if you want it to work), you need to change the double-quotes in your command to &quot; instead. So my build command from above now looks like this:

    <Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe&quot; sign /f &quot;$(ProjectDir)TestWin8CO_TemporaryKey.pfx&quot; /p nightbird /v &quot;$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)&quot;" />

    After making this match your parameters, save the csproj file and then close it. Then right-click on the project and reload it:

    Now if you build your project, you won’t see anything about signing the application executable in the output window. It will only do it if you publish, and there won’t be logging letting you know it signed it. How do you know if it worked? Go to the folder you published to, and look in the Application Files folder. Locate the application executable in the folder for the new version. Right-click on it, choose properties. Look for a tab called “Digital Signatures”. If it’s not found, it’s not signed. If you do see it, go to that tab; it will show the signature list and the signer of the certificate. You can double-click on the signer and then view the signing certificate.

    "

    Regards,



    Barry Wang
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by markmnl Friday, June 27, 2014 2:29 AM
    Friday, June 27, 2014 2:24 AM
  • Thanks! I found that yesterday and it worked! (In a nutshell - got to sign the exe as well as the deployment, ClickOnce only signs deployment).
    Friday, June 27, 2014 2:30 AM
  • hi Barry and Mark

    Your posts were very useful to me! Unfortunately, the original blogpost doesn't contain the images anymore.

    I've tried to sign my app and installer using step 1 (post-publish), and noted two issues:

    • I don't receive an application.exe after publishing locally using ClickOnce. Do you have an idea why this is? (what I've tried is to copy the application.exe.deploy to the top folder and remove the ".deploy". then I've signed it using SignTool as described above.
    • however, SmartScreen still shows up. the installer itself then shows my application is by a trusted publisher (with the correct certificate).

    Any help is much appreciated!

    thanks,

    casaout

    Friday, May 17, 2019 2:55 PM