Getting rid of the "Unidentified Publisher" message

From Ben's Writing

Jump to: navigation, search
[edit]

Introduction

The following assume that you have administrative rights and that you have Visual Studio 2005 at a minimum installed it's "common" tools in your path (i.e. C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin).

For some general information on some of the tools used see:

The ones we use are:

[edit]

The cheap and dirty way

  • Make the initial certificate: 
makecert -r -pe -sr LocalMachine -ss PatchStore -n "CN=PatchCert" patch.cer
  • Use Verisign to "timestamp" the executable: 
signtool sign /v /s PatchStore /n PatchCert /t \
         http://timestamp.verisign.com/scripts/timestamp.dll patch.exe
  • Add the new Certificate to the root store of the local machine: 
certmgr -add patch.cer -s -r LocalMachine Root
  • Optionaly, verify that the signature worked: 
signtool verify /v /pa patch.exe

Further comments to come.

[edit]

The long, tedious and—ultimately—useful way

  • Create self-signed root certificate (CondorRootCA), use PASSWORD1 as a password (you will type it 3 times): 
makecert -r -sr LocalMachine -ss CondorStore \
         -n "CN=Condor Project Root Certificate Authority" \
         -sv CondorRootCA.pvk -a sha1 -sky signature \
         CondorRootCA.cer
  • Create child certificate (CondorCodeSigningCA) for code signing, create PASSWORD2 as password for new certificate and when you are asked for Issuer Signature, type PASSWORD1: 
makecert -sv CondorCodeSigningCA.pvk -iv CondorRootCA.pvk \
         -n "CN=Condor Project Software Code Signing CA" \
         -ic CondorRootCA.cer CondorCodeSigningCA.cer
  • Create PFX (Public Key Certificate Standard) key (use the password PASSWORD2): 
pvk2pfx.exe -pvk CondorCodeSigningCA.pvk -spc CondorCodeSigningCA.cer \
            -pfx CondorCodeSigningCA.pfx -po PASSWORD2


  • Use your PFX key to sign patch.exe program. 
signtool sign /f CondorCodeSigningCA.pfx /p PASSWORD2 /v /t \
         http://timestamp.verisign.com/scripts/timestamp.dll patch.exe
  • Add the new Certificate to the root store of the local machine: 
certmgr -add CondorRootCA.cer -s -r LocalMachine Root
  • Optionaly, verify that the signature worked: 
signtool verify /v /pa patch.exe

Run patch.exe. Vista should detect the publisher of this EXE file as "Condor Project Software Code Signing CA".

Retrieved from "http://ben.versionzero.org/wiki/Getting_rid_of_the_%22Unidentified_Publisher%22_message"
Personal tools