Why dies SmartScreen still appear even though I have signed my project with a purchased Code Signing Certificate?

Robert Barnes 71 Reputation points
2022-04-12T04:55:11.36+00:00

I have purchased a Code Signing Certificate from Sertigo, a Certification Authority. However when I download the application I still see the Smartscreen, and although More Info identifies the supplier (Jazz Software Ltd), the [Run Anyway] button appears, I can click it and the software downloads, and installs properly. From More Info, the certificate details can be displayed. Everything is OK except that I don't understand why the Smartsceen appears.

For another user (large company with stringent security settings) the [Run Anyway] button doesn't appear, and they can't download the software. Major problem.

I found this article which seems to have the answer
https://social.msdn.microsoft.com/Forums/en-US/00813d25-d258-40d8-b03a-c4468959f311/smartscreen-shows-quotunknown-publisherquot-even-though-signed-correctly-using-a-trusted?forum=winformssetup

But the original article was written for Windows 8 in 2012, and perhaps things have changed in 10 years.

Question 1. Is it still necessary to use Signtool to explicitly sign the project, i.e. it is not sufficient to import a purchased Code Sharing Certificate by using Visual Studio opened on the signing page of the project, and using [Select from File]?

Your answer should be "No" because it's reasonable to think that you only need to use [Select from File], but from the results I get I'm assuming that your answer is "Yes"... so continuing on this assumption: -

Clearly #3, Pre Publish, is the way to go eventually, but since my practice is to publish locally and then use FTP to explicitly put this on the web site, I'll use #2, Signing the application executable post-build, at first.

I need to execute a command based on
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p nightbird /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

I'm using VS2019, and so I found SignTool at C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool

My project ($(ProjectDir) is
C:\Users\Robertbw10\source\repos\Jazz\Jazz\

$(ConfigurationName) is Debug

$(TargetFileName) is Jazz.exe

Based on that, I think that (except for the password) the command will be

"C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\Signtool.exe " sign /f "C:\Users\Robertbw10\source\repos\Jazz\Jazz\jazz-software.pfx" /p xxxxx /v "C:\Users\Robertbw10\source\repos\Jazz\Jazz\obj\x86\Debug\Jazz.exe"

Question 2 Will you please confirm that this command looks reasonable given that these objects are what I find with File Explorer.

The referenced article continues
After you’ve created your version of the post-build command, you need to put it in the project properties. Double-click on Properties and click on the Build Events tab. Put your command in the Post-build event command line box.

I found Build Events as a button from the Compile tab of properties, I assume that this is a change from earlier Visual Studios, so I'll put the command there and rebuild the project if I get feedback that the answers to both Question 1 and 2 are "Yes".

Thank you for helping me, Robert.

VB
VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,629 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jiachen Li-MSFT 27,581 Reputation points Microsoft Vendor
    2022-04-12T06:31:11.13+00:00

    Hi @Robert Barnes ,
    Have you tried the method in the link you provided?
    The responses in the link below may explain the situation.
    https://security.stackexchange.com/a/139520
    Best Regards.
    Jiachen Li

    ----------

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments