8
1
I'm running Windows 7 and when I try to run a batch file, it says, "The publisher could not be verified. Are you sure you want to run this software?"
So when I try to sign it with my code signing certificate, it says "SignTool Error: This file format cannot be signed because it is not recognized."
So I'm stuck between a rock an a hard place. Is there a way to eliminate either message?
4
I get a similar message if I run batch files (or other executables) from a network location. If this is the case, you may want to consider moving it to a local drive. Another alternative is to use a separate batch file on the local drive to launch the one on the network. The launching batch file need only have one line in it:
@call \\network\folder\batch.bat
Windows won't balk at the local file, and once that file is running, it can call the network version without issue.
techturtle
Posted 2012-09-05T18:00:47.263
Reputation: 8 059
@Sosukodo, so E: is a network-mapped drive? – Synetech – 2012-09-05T18:29:30.697
Sort-of ;-) I'm running a VirtualBox Windows 7 guest on a Mac host. The E: is a VirtualBox shared folder. I didn't know that the shared folder would be considered a networked drive but when you mentioned it, it made sense. – None – 2012-09-07T04:41:27.060
4
You don't sign batch files. It sounds like your batch file is calling something else that should be signed.
Edit: Now that you've posted a batch file, we can see that it's because of the network location. Or, sometimes it'll happen if you merely copy a file from a network location. In the latter case, it's because Windows has tagged the file via an Alternate Data Stream to be in some other Internet zone. You can get around this one of two ways:
type thefile.bat > %temp%\newfile.bat & type %temp%\newfile.bat > thefile.bat
Mark Allen
Posted 2012-09-05T18:00:47.263
Reputation: 2 801
3
What you are seeing is a general prompt that Windows provides whenever you try to open any time of file that has been downloaded. What happens is that when you download a file, it is tagged with a flag that indicates that it came from the Internet and is thus potentially dangerous. When you try to run such a file, Windows checks to see if it has a valid signature in order to determine if it can be trusted.
What you can do is to strip the flag from the file by using the Unblock button in the file’s properties, after which, Windows will leave you alone whenever you try to run it:
The problem is that batch-files are text-files that can be executed. While it is possible to sign a text-file, it will end up appending a bunch of binary data to the file which for a batch-file is bad because it is gibberish and will cause problems when the command-interpreter tries to execute it. Commenting out the signature will not work either because then the signature becomes corrupt.
Therefore, signing a batch file is not going to work.
What you need to do is to figure out why the system is prompting you when trying to run it. By default, Windows does not ask before running batch-files, so you must have a either a special policy or security program blocking it. Check your security program(s) to see if there is a verification setting that you can disable or add an exclusion for.
Also check the batch-file’s contents to see if it is running an executable that is not signed (though again, by default, Windows does not prompt for executables unless it was downloaded or requires elevated privileges, so check your settings).
Synetech
Posted 2012-09-05T18:00:47.263
Reputation: 63 242
You should be able to exit the script before execution reaches the signature, no? – Sparr – 2012-09-05T18:13:02.293
@Sparr, yes and no. You could insert a goto :eof before the signature, but then that would alter the hash of the file and render the signature invalid and thus the file as corrupt/insecure. I suppose you could have the line there at the end of the file before signing it though, and it should work. Interesting experiment to try… – Synetech – 2012-09-05T18:18:16.350
2You can use the type command - even on binaries - to untag the file. I do it all the time. type oldfile>newfile (and then) type newfile>oldfile results in the oldfile without the ADS tag. – Mark Allen – 2012-09-05T20:03:36.717
Hehe, clever. That’s not technically stripping the flag (and I’m not sure how much faster or more convenient it is than the Properties dialog, but it works. – Synetech – 2012-09-06T01:35:08.393
0
You may also convert the .bat file into a PowerShell script, signtool supports signing these files.
Emmanuel Bourg
Posted 2012-09-05T18:00:47.263
Reputation: 221
This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - From Review
– Burgi – 2019-12-11T15:35:13.410@Burgi this is debatable, .bat files can't be signed unless someone writes a dedicated SIP. The closest solution for now is a signed PowerShell script. – Emmanuel Bourg – 2019-12-11T20:21:43.853
Rule #42 of Fight Club is "Workarounds are answers." So this is an answer. (But the other ones are better.) – Scott – 2019-12-12T01:09:33.363
1Re-write it as a PowerShell script, and sign that? I've never heard of signed batch files, myself. – Iszi – 2012-09-05T18:05:35.820
You don't sign batch files. It sounds like your batch file is calling something else that should be signed. – Mark Allen – 2012-09-05T18:06:10.217
1What is the source of the prompt? That is, what is the title-bar and icon? Is it actually a Windows prompt or a prompt from a third-party security program? Take a screenshot of it and add it to the question. – Synetech – 2012-09-05T18:10:25.547
http://windowsxp.mvps.org/networkfile.htm – SeanC – 2012-09-05T18:12:07.637
@SeanCheshire, if that is the case, then techturtle is correct; anything on a network is viewed with a suspicious eye by Windows, so you will need to either copy it locally or add the location to the Trusted Zone. – Synetech – 2012-09-05T18:21:10.150