"Publisher Could Not Be Verified" on .dll

0

One of my .dll files is unsigned, and every single time I run the program that uses it, it pops up with this warning:

popup

I've tried to edit the following registry key to include both .exe and .dll files HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes, but it still gives me the warning. How can I get rid of this? I don't mind if I have to disable the warning globally or anything, I'm just sick of seeing it. And to be clear, this file is not on a network share or anything--it's just on my hard drive.

I'm running the latest build (not Insider) of Windows 10 Home by the way.

Kurausukun

Posted 2020-01-12T09:18:42.770

Reputation: 119

1

Possible duplicate of https://superuser.com/questions/341091/how-to-get-rid-of-the-publisher-cannot-be-verified-on-network-files and https://superuser.com/questions/853171/windows-security-warning-on-all-files-on-local-drives and https://superuser.com/questions/1256560/we-cant-verify-who-created-this-file/1256574#1256574

– Ramhound – 2020-01-12T14:53:48.607

Relevant with regards to the last duplicate https://superuser.com/questions/1018145/windows-starter-edition-home-and-home-premium-do-not-include-gpedit-how-do-i-i

– Ramhound – 2020-01-12T15:00:03.497

@Ramhound All group policy editor does is provide a GUI for changing registry values, right? I don't think it would help because I don't have 10 Pro so it just doesn't look for those keys (unless I'm mistaken). – Kurausukun – 2020-01-13T22:10:34.750

The duplicates are more than just that single key you modified. – Ramhound – 2020-01-13T22:11:57.027

@Ramhound The answers either refer to accessing files on network shares or using the exact registry key that I mentioned. As I said, the registry key does not work for me, and I am not accessing files over a network, so neither of these apply to me and I still do not have a solution. – Kurausukun – 2020-01-13T22:16:12.237

1"am not accessing files over a network" - Your question does mention this fact. Could you provide the relevant information from the Security and General tab on the properties of the file in question? – Ramhound – 2020-01-13T22:17:39.730

Sorry, I thought the lack of mentioning it made it clear it was not happening, especially since there are multiple other questions relating to this issue for files over a network--sadly I would have fixed this by now if that were the issue. I'm not sure what information you need, but everyone has read and execute permission for it, and the owner is SYSTEM. – Kurausukun – 2020-01-13T22:19:28.003

Does this answer your question? How to get rid of "the publisher cannot be verified" on network files?

– Burgi – 2020-01-21T15:02:27.370

Answers

0

The simplest solution is to create a self-signed CA (Certificate Authority), using it to sign a code signing cert, which then signs BPSRegWD64.dll (provided you 100% trust that library).


Use openssl to create the CA and code signing cert, then SignTool.exe to sign BPSRegWD64.dll

  1. Install OpenVPN, ensuring C:\Program Files\OpenVPN\bin is added to System PATH
    OpenSSL doesn't create Windows binaries, so it's simpler to install software it's bundled within

  2. Download this openssl.cnf to Create Required Certs (KU and EKU info):
    Save as %UserProfile%\Documents\SSL\openssl.cnf; req. commands/info begin on Line 430

    1. Create required directories and files for OpenSSL via a PowerShell terminal:
      WinKey+R > Open: Powershell > OK

      # Create PowerShell variable for $docs:
  $docs = [Environment]::GetFolderPath("MyDocuments")

# Create OpenSSL Directories
  MkDir "$docs\SSL\ca"
  MkDir "$docs\SSL\cert"
  MkDir "$docs\SSL\crl"
  MkDir "$docs\SSL\csr"
  MkDir "$docs\SSL\key"
  MkDir "$docs\SSL\p12"

# Create File: crlnumber
  Echo 01 > "$docs\SSL\crl\crlnumber"

# Create File: index
  Echo > "$docs\SSL\index"

# Create File: rand
  Echo > "$docs\SSL\rand"

# Create File: serial
  Echo 00 > "$docs\SSL\serial"

# Enter SSL Directory
  Cd "$docs\SSL"

    2. Generate self-signed CA:

      OpenSSL req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ".\ca\CA.key.pem" -out ".\ca\CA.crt.pem" -config ".\openssl.cnf" -extensions v3_signing_ica

      CA key should have a secure passphrase of at least 20 characters, containing at minimum:
      2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols

    3. Generate the CSR (Certificate Signing Request) for the Signing Cert:
      Modify openssl.cnf Line 244 (email.1 = user@email.com) with user's email, then:

      OpenSSL req -out ".\csr\Signing.csr" -new -days 3650 -sha512 -newkey rsa:2048 -keyout ".\key\Signing.key.pem" -config ".\openssl.cnf" -extensions v3_codesign

      Cert key should have a secure passphrase of at least 16 characters inline with #2.2

    4. Sign the Signing Cert with the CA:

      OpenSSL x509 -req -sha512 -days 3650 -in ".\csr\Signing.csr" -CA ".\ca\CA.crt.pem" -CAkey ".\ca\CA.key.pem" -CAserial .\serial -out ".\cert\Signing.crt.pem" -extfile ".\openssl.cnf" -extensions v3_codesign

    5. Export the Signing cert as a PKCS12 cert:

      OpenSSL pkcs12 -export -out ".\p12\Signing.p12" -inkey ".\key\Signing.key.pem" -in ".\cert\Signing.crt.pem" -certfile ".\ca\CA.crt.pem"

      PKCS12 should have a secure passphrase of at least 16 characters inline with #2.2

  3. Import Certs into Cert Manager (certmgr.msc):

    1. Register .pem Extension as a Valid Certificate:
      Open an Admin Terminal via: WinKey+R > Open: Powershell > CTRL+SHIFT > OK

      Reg ADD "HKCR\.pem" /T REG_SZ /d CERfile ; Reg ADD "HKCR\.pem" /V "Content Type" /T REG_SZ /D application/x-x509-ca-cert ; Pause ; Exit
    2. Import CA as a Trusted Root Certificate Authority:
      Right-click CA.crt.pem > Install Certificate > Local Machine > Next > Approve UAC >
      Place all certificates in the following store > Browse... > Trusted Root Certification Authorities
      OK > Next > Finish
    3. Import PKCS12 as a Personal Certificate:
      Right-click Signing.p12 > Install PFX > Current User > Next > Filename:
      %UserProfile%\Documents\SSL\p12\Signing.p12 > Next > Enter passphrase > Next > OK

  4. Sign BPSRegWD64.dll via:

    1. Set-AuthenticodeSignature:

      1. Create Sign.ps1 script:

        Cmd /C Echo '#

        ##::[[---  PowerShell Signing Script  ---]]::##

    # Paramaters #
#----------------------------------------------------------------

# Error if no file is specified:
  param([string] $file=$(throw "Please specify a script filepath."))

# Auto select user signing certificate:
  $Cert = Get-ChildItem -Path "Cert:\CurrentUser\My" -CodeSigningCert

# SHA256 TimeStamp server:
  $timeStampURL = "http://sha256timestamp.ws.symantec.com/sha256/timestamp"


    # Script #
#----------------------------------------------------------------
if($cert) {
    Set-AuthenticodeSignature -filepath $file -Certificate $Cert -HashAlgorithm SHA256 -TimestampServer $timeStampURL
}
else {
    throw "Did not find certificate with friendly name of `"$certFriendlyName`""
}' > "C:\Sign.ps1"

      2. Execute Sign.ps1:

        C:\Sign.ps1 "C:\Path\to\BPSRegWD64.dll"


    2. SignTool.exe:

      1. Install the Windows SDK: Signing Tools for Desktop Apps:
        Ensure path to SignTool.exe is added to the System PATH:
        • Control Panel\All Control Panel Items\System > Adv. system settings >
          Env Variables > System Variables > Path > Edit > New > signtool.exe path >
          OK > OK > OK
          Example path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64

          There are certain file extensions PowerShell's Set-AuthenticodeSignature can sign that SignTool cannot, and vice versa, but I'm unsure which can and cannot sign what files, so it's best to also install the SDK's SignTool.

      2. Execute SignTool.exe:

        SignTool Sign /S My /FD SHA256 /TD SHA256 /TR "http://sha256timestamp.ws.symantec.com/sha256/timestamp" "C:\Path\to\BPSRegWD64.dll"

JW0914

Posted 2020-01-12T09:18:42.770

Reputation: 2 135

Attempting step 2 gives me: Error Loading extension section v3_codesign 1204:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:72: 1204:error:2206706E:X509 V3 routines:v2i_EXTENDED_KEY_USAGE:invalid object identifier:crypto/x509v3/v3_extku.c:93:section:,name:mcCTLSign,value: 1204:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage, value=codeSigning, msCodeInd, msCodeCom, mcCTLSign, timeStamping – Kurausukun – 2020-01-13T22:12:20.533

@Kurausukun The issue was a typo in the openssl.cnf at line 414, char 70 with EKU msCTLSign (had a typo listing it as mcCTLSign). Once corrected, the CSR is created without error. (I will update the openssl.cnf on my GitHub tomorrow, but I want to double-check others before committing the typo correction. Please either manually edit line 414 or do a find and replace for mcCTLSig to msCTLSign.) I also corrected some file/directory naming inconsistencies in the commands, so before re-issuing, please ensure your CA's cert and key are moved into %UserProfile%\Documents\SSL\ca – JW0914 – 2020-01-14T07:37:10.743

@Kurausukun I realized I left out SignTool's command and have updated the answer with it. There are two ways to sign files, either via PowerShell's Set-AuthenticodeSignature or SignTool.exe, however there are certain files one can sign that the other cannot and vice versa; I'm unsure which can do .dll files, so I've included both. – JW0914 – 2020-01-16T13:15:48.827

Asked: 2020-01-12T09:18:42.770

Viewed: 86 times

Active: 2020-01-19T09:33:00.457