Windows Presentation Foundation
A part of the .NET Framework that provides a unified programming model for building line-of-business desktop applications on Windows.
2,760 questions
Signing clickonce using Sectigo SHA384 EV certificate give unknown publisher and smartscreen blocker
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 10%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
rakesh kumar
0
Reputation points
I am trying to sign the clickonce application using Sectigo Sha384 EV Certificate using SafeNet client. Steps I am following PLEASE NOTE CSP in SignTool is CSP in SafeNet client while CSP in Mage is KSP in SafeNet client. Mage was not signing otherwise. I am using VS 2022, but not using its UI to sign anything during publish. I am signing the clickonce artifacts afterward SignTool version 10.0.22621.2428 Mage version 4.8.9032.0 used from location C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools
//STEP 1: Signing exe file
signtool.exe sign /v /fd "SHA256" /as /f $certPath /csp "eToken Base Cryptographic Provider" /kc "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" /td "SHA256" /tr "http://timestamp.sectigo.com" "c:\publish\1.0.0.0\App.exe"
//STE2: Updating the file hashes in the application manifest file
mage.exe -Update "c:\\publish\\1.0.0.0\\App.exe.manifest" -FromDirectory "c:/publish/1.0.0.0" -Algorithm "sha256RSA"
//signining application manifest
mage.exe -sign "c:\publish\1.0.0.0\App.exe.manifest" -CertFile $certPath -CryptoProvider "SafeNet Smart Card Key Storage Provider" -KeyContainer "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" -TimestampUri "http://timestamp.sectigo.com" -Algorithm "sha256RSA"
//Verify signing application manifest
mage.exe -Verify "c:\publish\1.0.0.0\App.exe.manifest"
//Updating the deployment manifest with the location and hash of the application manifest
mage.exe -Update "c:\publish\App.application" -AppManifest "c:\publish\1.0.0.0\App.exe.manifest" -Publisher "Test Publisher"
//Signing the deployment
mage.exe -Sign "c:\publish\App.application" -CertFile $certPath -CryptoProvider "SafeNet Smart Card Key Storage Provider" -KeyContainer "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" -TimestampUri "http://timestamp.sectigo.com" -Algorithm "sha256RSA"
//Verify signing deployment manifest
mage.exe -Verify "c:\publish\App.application"
// Copy the deployment manifest to the versioned path
Copy-Item "c:\publish\App.application" "c:\publish\1.0.0.0\App.application"
//sign the bootstrap file
signtool.exe sign /v /fd "SHA256" /as /f $certPath /csp "eToken Base Cryptographic Provider" /kc "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" /td "SHA256" /tr "http://timestamp.sectigo.com" "c:\publish\setup.exe"
I have also checked that publisher name is visual studio in description is "Test Publisher" which matches with whom certificate is issued. I am getting a unknown publisher pop up I am also getting smartscreen blocker while installing clickonce application. I was hoping a clean install with known publisher and without any smart screen. That is why I choosed EV certificate I have also checked the certificate, it is valid and have proper chain
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 11%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hui Liu-MSFT 48,416 Reputation points Microsoft Vendor2024-02-16T07:02:29.24+00:00 Hi,@rakesh kumar.Welcome to Microsoft Q&A. It seems like you have taken the correct steps to sign your ClickOnce application with an EV certificate, and it's signed properly with SHA384, which is recommended for EV certificates. However, issues with SmartScreen warnings and unknown publisher messages can be influenced by various factors. Here are some suggestions to troubleshoot and resolve the issue: Timestamping: Ensure that all your signatures (both application and deployment manifests, as well as the setup.exe) are timestamped. It appears you are using Sectigo's timestamping service, but double-check to make sure the timestamps are being applied correctly.
Correct Hash Algorithms: Make sure that the hash algorithms used during signing and updating manifest files match across all steps. You're using SHA256 for signing and updating, which is appropriate.
Correct Certificate Store and Container: Verify that the certificate store and container used in signtool and mage commands match the correct values associated with your EV certificate on the SafeNet client.
Publisher Name in Manifests: Ensure that the publisher name specified in your application manifest (App.exe.manifest) matches the publisher name specified in your deployment manifest (App.application). Consistency in publisher names is essential.
Check System Time and Date: Ensure that the system time and date on the machine where you are signing the application are correct. Timestamping services use the system time to provide a trusted timestamp.
Review SmartScreen Policies: SmartScreen uses reputation-based checks, and it might take some time for your application to gain a positive reputation. However, being signed with an EV certificate should generally help. Make sure your application is not behaving in a way that triggers false positives.
EV Certificate and Code Signing Policies: Double-check the policies of your EV certificate and the code signing policies in place. Ensure that they meet the requirements for EV certificates.
-
rakesh kumar 0 Reputation points
2024-02-16T21:30:59.2666667+00:00 Thank you for replying @Hui Liu-MSFT I have checked against all your checkpoints but still getting error of "unknown publisher" while installing it on my window 11 pc and few other windows 10 or 11 pcs first time. However if I try to install it on the same server (windows server 2008 R2) where it is deployed, It shows publisher name perfectly fine. It is very frustrating. Is there something from your experience you can tell? I was using a non-ev certificate before for signing manifests and all was good. Oh by the way as I mentioned before, Mage sign dont work woth CSP, so I am providing KSP value instead in -CryptoProvider argument. In fact I have started using KSP value from token in signtool as well. SignTool version 10.0.22621.2428 Mage version 4.8.9032.0 Using CSP value, mage signing process gives below error.
This certificate does not contain a private keyThere is also a dangerous post here
https://developercommunity.visualstudio.com/t/ClickOnce-EV-Signing-with-HSM/10278648 which talks about - Your key is an “exchange” key. Mage supports only “signature” keys. Is it still true as i can sign manifests without an error. I can see my EV token also have AT_KEYEXCAHNGE as key specification
-
rakesh kumar 0 Reputation points
2024-02-16T23:14:56.04+00:00 It is something with Sectigo timestamp server. While signing manifests using mage.exe I dont think it using RFC 3161 timestamping url http://timestamp.sectigo.com is choosing appropriate signature algorithm. Try signing with http://timestamp.sectigo.com?td=sha256 gives error related to endpoint not reachable. So I replaced it with http://timestamp.digicert.com?td=sha256 and unknown pblisher away on first install on windows 11 goes away. I wonder how it was showing publisher name on server it was deployed.
---But now after install when it still shows me SMARTSCREEN blocker, I have to pass through -:(
-
Hui Liu-MSFT 48,416 Reputation points Microsoft Vendor
2024-02-20T10:04:38.9366667+00:00 Hi,@@rakesh kumar. For various issues related to signing ClickOnce manifests with Extended Validation (EV) certificates and handling SmartScreen warnings. Here are some opinions.
SmartScreen Blocker: SmartScreen warnings are often influenced by the reputation of your software and the certificates used for signing. SmartScreen may display a warning if the application is not widely recognized or if it has not built up a reputation. Once users trust your application and the warning is bypassed, it should not appear again for subsequent installations.
Reputation Building: Building a positive reputation might take time. Distributing your application widely, having a consistent signing history, and receiving positive user feedback can contribute to a positive reputation.
Windows 11 Considerations: Windows 11 might have updated SmartScreen algorithms or additional checks, which could explain differences in behavior compared to Windows 10.
Timestamping Server: Ensure that you're using a reliable and accessible timestamping server for signing your ClickOnce manifests. The timestamp server's URL and supported algorithms can impact the trustworthiness of your signed manifests.
SmartScreen Blocking After Install: Post-Install Checks: SmartScreen may perform checks even after the installation. Factors like user feedback, application behavior, and reputation can influence how SmartScreen treats your application over time.
Mage and CSP: If you encounter issues with Mage and Cryptographic Service Providers (CSP), consider alternative tools like SignTool for signing ClickOnce manifests. Make sure to use the appropriate parameters and settings for your certificate.
And consider reaching out to Sectigo support for assistance with certificate and SmartScreen-related issues.
Sign in to comment
Sign in to answer