Why do I still get trust prompts for a signed VSTO deployment manifest although the cert was imported into trusted publisher list on client? RRS feed

  • Question

  • Hi all,

    I already read several threads about the issue and also applied Nonetheless I still keep getting the trust prompt with the 'Unkown Publisher' when trying to use the file with the customization installer.

    My Authenticode cert used for the code signing is assigned by an intermediate CA (VeriSign Class 3 Code Signing 2004 CA) that is signed by a root CA (VeriSign Class 3 Public Primary Certification Authority). I imported the cert of the intermediate CA into the Trusted Publisher store, the Root CA was already in the correct store. I really have no clue why the trust cannot be etsablished. Since I have to configure hundreds of clients and do not want to switch the trust prompt off completely, I have to go for a way that hides the trust prompt pop-up if a trust is there (which is the case here and which works fine for executuables singed with the same cert).

    Any ideas?

    Regards, Gerald


    Monday, April 18, 2011 1:11 PM

All replies

  • Gerald,

    did you also add the code-signing certificate to the trusted publisher list, not just the cert for the intermediate certificate authority?


    Monday, April 18, 2011 7:57 PM
  • Hi Mary,

    yes, the cert (at least the public key part) that I used for code signing has been imported to the Trusted Publisher list, both for the local computer and my user certificate store.



    Tuesday, April 19, 2011 10:08 AM
  • can you also try adding the certificate to the root store?

    which version of Office, VSTO, and Visual Studio are you using?



    Tuesday, April 19, 2011 6:45 PM
  • Hi Mary,

    all certs in the chain

    - the one used for signing

    - the one from the intermediate CA

    - and the one from the root CA

    have been imported in the Trusted Root CA store and the Trusted Publisher store, both for the user and the machine specific store.

    I am using Office 2007, VSTO 3.0 and VS 2008

    Regards, Gerald

    Wednesday, April 20, 2011 6:50 AM
  • Hi Gerald,

    Did you ever find a solution to this issue? I'm in a similar situation where the cert used for signing (through Verisign) is missing the intermediate (CN = VeriSign Class 3 Code Signing 2009-2 CA). When that is manually added to Local Machine -> Intermediate Cert Authorities the issue persists but when add to a particular user's Current User -> Intermediate Cert Authorities they do not receive the trust prompt.

    I'm wondering if this is a similar case. Mary, do you have any guidance in this situation?



    Friday, May 27, 2011 6:59 PM
  • Hi Casey,


    in the end it turned out as being quite simple: our final assembly used an old version of the mage.exe tool for signing... Did you try to add the cert to the trusted publisher store on that machine?

    Regards, Gerald

    Wednesday, June 15, 2011 11:37 AM
  • Hey Gerald,

    In our case we were already adding our cert to the trusted publishers store however the cert showed as invalid on the target machines due to a missing intermediate cert. I used the office key propogation mechanism to add the VSTO trust relationship which is solving the problem. Fun times!

    Ping me if you'd like more details.


    Wednesday, June 15, 2011 2:24 PM