locked
ClickOnce Unknown Publisher RRS feed

  • Question

  • Hello,

    I am trying to release a clickonce application and I have code signed it but still it shows as unknown publisher when someone tries to download it. For one user the application was blocked by norton considering it as a threat.

    Can someone help me please?


    Student For Life
    Thursday, September 2, 2010 7:56 PM

Answers

  • I hate to tell you this, but you aren't a trusted publisher. If someone could declare themselves a trusted publisher just by using makecert, there's be no use for Verisign.

    When you buy a certificate from someone like Verisign, they investigate you and make sure you are a valid company, and you are who you say you are, and you do what you say you do, and are not someone writing malware. Then they issue you a certificate and you use it to sign your code, and people know they can trust the software because it comes up and says it's from you, and if they click on it, it says you are verified by Verisign and you are a trusted publisher.

    The other way to be a trusted publisher is if you work in an enterprise, the server guys can usually give you a trusted certificate that chains back to them.

    If you have a verisign certificate in the cert store on your computer, where did it come from? Is it yours or is it from some other software that got installed? What format does it export it as, and do you have the private key required to use it?

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Proposed as answer by Jing0 Tuesday, September 7, 2010 3:17 AM
    • Marked as answer by Vayuu Tuesday, September 7, 2010 7:40 PM
    Saturday, September 4, 2010 7:47 AM

All replies

  • To change "unknown publisher" to an actualy publisher, you have to get a signing certificate from a trusted source, such as your network administrator or a certificate authority such as Verisign.

    So when you say you have the code signed, are you using the test certificate created in Visual Studio? That one does not chain back to a trusted authority.  Or are you using a certificate from someone like Verisign and it's still saying unknown publisher?

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Proposed as answer by Jing0 Tuesday, September 7, 2010 3:17 AM
    • Unproposed as answer by Vayuu Tuesday, September 7, 2010 7:40 PM
    Friday, September 3, 2010 6:28 PM
  • I created my own certificate using the visual studio command prompt and then used it to sign the code. I referred to this link

    http://msdn.microsoft.com/en-us/library/che5h906(v=VS.80).aspx

     

    But when I try to install it on some computer it shows unknown publisher and Norton actually blocks the setup file and deactivates it.

     

    Other than that  I also tried to export the verisign certificate from the store which can be used for code signing. But I cannot export it as a pfx file.

     


    Student For Life
    Saturday, September 4, 2010 1:38 AM
  • I hate to tell you this, but you aren't a trusted publisher. If someone could declare themselves a trusted publisher just by using makecert, there's be no use for Verisign.

    When you buy a certificate from someone like Verisign, they investigate you and make sure you are a valid company, and you are who you say you are, and you do what you say you do, and are not someone writing malware. Then they issue you a certificate and you use it to sign your code, and people know they can trust the software because it comes up and says it's from you, and if they click on it, it says you are verified by Verisign and you are a trusted publisher.

    The other way to be a trusted publisher is if you work in an enterprise, the server guys can usually give you a trusted certificate that chains back to them.

    If you have a verisign certificate in the cert store on your computer, where did it come from? Is it yours or is it from some other software that got installed? What format does it export it as, and do you have the private key required to use it?

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    • Proposed as answer by Jing0 Tuesday, September 7, 2010 3:17 AM
    • Marked as answer by Vayuu Tuesday, September 7, 2010 7:40 PM
    Saturday, September 4, 2010 7:47 AM
  • Robin,

    Thanks for your reply, it has made things much more clearer now. If I get the certificate from verisign or from the server and then sign the code, will norton still block it?


    Student For Life
    Tuesday, September 7, 2010 2:24 PM
  • I don't know what Norton will do. Before you actually buy a certificate, if you want to find out, you can install my company's product. If you go to www.goldmail.com, you can sign up for a free account, and then download and install the software.

    It uses ClickOnce, and right now it targets .NET 2.0, but we have a new release tonight, and we will be changing that to .NET 3.5. In fact, if you install the .NET 2.0 version, then when you run it tomorrow, it will automatically uninstall itself and install the new version targeting .NET 3.5. That's how we're changing the prerequisite.

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    Tuesday, September 7, 2010 5:29 PM
  • Your software worked and wasn't blocked. Also, I figured that it downloaded just one setup file and then the rest was installed. For my app, it downloads the setup file and then downloads .application file. I think once I code sign it, things should be good.
    Student For Life
    Tuesday, September 7, 2010 7:39 PM
  • I don't know why yours would download the files separately, unless you are using Firefox. Mine is a standard ClickOnce deployment. We point to the setup.exe file, the user clicks the button and gets the prompt for running it or saving it and running it. After it installs the prerequisites (or not, if not needed), the setup.exe (bootstrapper) invokes the ClickOnce application by calling the .application file.

    You might want to check and make sure the MIME types are set up correctly on the server. Maybe it's having a problem figuring out how to serve up the deployment manifest (.application file) and the browser is figuring it out after it downloads it. This article gives the most current list of MIME types:

    http://robindotnet.wordpress.com/2010/06/12/mime-types-for-clickonce-deployment/

    Ours works the same whether we sign it with a Verisign certificate or not. The only difference is that it says we're a trusted publisher if we use a valid certificate. And apparently it makes it through firewalls.
    ;-)

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev
    Tuesday, September 7, 2010 8:48 PM
  • We got a certificate finally and then I tried to sign my application.

     

    It says Cannot find the certificate and private key for decryption.

     

    I am using the pfx file that we were issues by the authority. I read some blogs and found that I need to import it and then export it..That didn't work either.


    Student For Life
    Wednesday, September 8, 2010 9:39 PM
  • I have the situation where setup.exe is signed by the certificate and looks good, but the .application somehow gives "unknown publisher". This definitely worked before. What's going on?

    When I run setup.exe it correctly indicates my company but when it goes to the step of launching the .application it says unknown. If I try to launch the .application directly it says unknown.

    Any thoughts as to what is going on?

    Saturday, May 5, 2012 11:11 AM
  • Please don't post the same question to multiple threads. I've answered you in the other thread, which is here:

    http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/16236f8c-164c-4453-9154-d1b780e729e0

    RobinDotNet


    Click here to visit my ClickOnce blog!
    Microsoft MVP, Client App Dev

    Saturday, May 5, 2012 6:04 PM