How to make computer (or user) trust signed software

4

1

I have an application, which I sign and timestamp using a code-signing certificate issued by thawte, with intermediate authority Thawte code signing CA - G2.

The signature is OK (as it shows in file properties) and you can view the certification chain, so that is all okay.

On most PCs, the user just clicks on the .exe file and it runs, but on Windows 7 with default settings, the "Open File - Security Warning" pops up EVERY TIME. It shows that it is signed, that the publisher is our company, and the user can verify that. This is not what we want. We want the user to double-click the file and go. I added our certificate to the "trusted publishers" in certmgr, and then I added our certificate to the "trusted root certification authorities". I think I tried all combinations, that made sense to me. Still I am not getting the desired result.

I used Google a lot and I spent almost 2 days fiddling around with it, with no progress at all. How can I sign another file, send it to the computer, run it the same, convenient way as if it was developed and released by Microsoft or another big company?

I need a general solution for all OS of Windows family Vista and newer.

P.S. I do not want to unblock files, do registry hacks, or security level adjustments. I think I am missing something around where to install the certificates. If needed, please feel free to ask for code or settings, and I will gladly provide them.

jmodrak

Posted 2014-08-14T14:25:05.147

Reputation: 43

1You tried to add the cert to the store or you did add the cert to the store? – Ramhound – 2014-08-14T14:40:11.557

I added the cert to the store, but have not tried all options, have not tried Enterprise trust, have not tried all basically, so maybe I just need a hint which store is the correct one. – jmodrak – 2014-08-14T14:42:41.640

Which version of Windows are you running on these "Most PCs" you speak of. Also, can you post a screenshot (or link to one) of the exact message you are seeing? – lzam – 2014-09-18T02:23:25.653

Does the application require administrative permissions? If so, there really isn't anything else you can do if you are seriously wanting to avoid editing User Account Control settings or making users Local Admins short of creating a scheduled task and a shortcut to launch said task

– int_541 – 2014-12-13T08:29:29.623

Answers

2

Besides adding them to the local store at 'Trusted Publishers' and 'Trusted Root Certification Authorities', you have to edit the Group Policy, either locally or on the domain level to allow trusting.

For SCUP/WSUS updates using a code signing cert I used a GPO to "Allow signed updates from an intranet Microsoft update service location" under /Administrative Templates/Windows Components/Windows Update.

For Application installs it's going to be in a different place. Looks like it might be Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings.

Take a look at: http://technet.microsoft.com/en-us/library/cc733026.aspx

Michael

Posted 2014-08-14T14:25:05.147

Reputation: 46

Yes, editing the GPO was the missing thing. I have done that in the meanwhile, but forgot to mention here. The more provided info only helps, will not make same mistake again. Kudos! – jmodrak – 2014-12-22T16:03:47.317

Glad it worked out, hate that the advance stuff like this isn't documented in an easy to find way, just buried in white papers on page 53 for someone with plenty of time to find. – Michael – 2014-12-22T19:08:56.357

Asked: 2014-08-14T14:25:05.147

Viewed: 2 770 times

Active: 2014-12-16T19:16:05.513