How to make computer (or user) trust signed software

I have an application, which I sign and timestamp using a code-signing certificate issued by thawte, with intermediate authority Thawte code signing CA - G2.

The signature is OK (as it shows in file properties) and you can view the certification chain, so that is all okay.

On most PCs, the user just clicks on the .exe file and it runs, but on Windows 7 with default settings, the "Open File - Security Warning" pops up EVERY TIME. It shows that it is signed, that the publisher is our company, and the user can verify that. This is not what we want. We want the user to double-click the file and go. I added our certificate to the "trusted publishers" in certmgr, and then I added our certificate to the "trusted root certification authorities". I think I tried all combinations, that made sense to me. Still I am not getting the desired result.

I used Google a lot and I spent almost 2 days fiddling around with it, with no progress at all. How can I sign another file, send it to the computer, run it the same, convenient way as if it was developed and released by Microsoft or another big company?

I need a general solution for all OS of Windows family Vista and newer.

P.S. I do not want to unblock files, do registry hacks, or security level adjustments. I think I am missing something around where to install the certificates. If needed, please feel free to ask for code or settings, and I will gladly provide them.

4

1 Answer

Besides adding them to the local store at 'Trusted Publishers' and 'Trusted Root Certification Authorities', you have to edit the Group Policy, either locally or on the domain level to allow trusting.

For SCUP/WSUS updates using a code signing cert I used a GPO to "Allow signed updates from an intranet Microsoft update service location" under /Administrative Templates/Windows Components/Windows Update.

For Application installs it's going to be in a different place. Looks like it might be Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings.

Take a look at:

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like