PAP UK

I am testing the installation and running of a vb6 program. The program installs okay.

The program is signed with a test certificate created using makecert/cert2spc/signcode. It requires administrative access when it is run and this is stipulated in it's manifest.

I have put the Root Agency into the Trusted Root Authorities Store and put the publisher/signer into the Trusted Publishers Store.

I have 2 problems.

1. When the program is run it displays the "unidentified program wants access" dialog with "unidentified publisher". Shouldn't this be an elevation dialog with the publisher's details shown

2. When the program is run "as administrator" the same unidentified program displays even though no elevation is required.


Re: Security for Applications in Windows Vista Unidentifed program wants access

Amol A. Vaidya

Hi,

Do check this link which explains more about UAC in Vista. http://www.windowsecurity.com/articles/Understanding-User-Account-Control-Vista.html

The section titled : Detect application installations and prompt for elevation has more about the behaviour of prompts that you are experiencing.

Regards,

Amol.





Re: Security for Applications in Windows Vista Unidentifed program wants access

PAP UK

Unfortunately the link provided is a basic overview of UAC and does not answer the query.

The installation detection prompt for elevation is not the issue. Once installed however and with the required elevation request in the manifest and with the executable being digitally signed the program receives this prompt when run by the user. The publisher is shown as unidentified despite the digital signing. Moreover, the unidentified program prompt is displayed even if the user runs the installed application as administrator.

The manifest contains the following for elevation.

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>

The signing was carried out using makecert/cert2spc/signcode and the publisher is in the Trusted Publishers store.

Any ideas would be appreciated.




Re: Security for Applications in Windows Vista Unidentifed program wants access

donelder

Do you have a version resource in the executable with identifying info





Re: Security for Applications in Windows Vista Unidentifed program wants access

PAP UK

Yes. At the moment the following information is included....

FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEOS 0x4
FILETYPE 0x1

VALUE "CompanyName", "OurCompany"
VALUE "ProductName", "TestProject"
VALUE "FileVersion", "1.00"
VALUE "ProductVersion", "1.00"
VALUE "InternalName", "TestProject"
VALUE "OriginalFilename", "TestProject.exe"

Would these values affect the prompt As there is no description in the test project would this have an affect

Thanks.




Re: Security for Applications in Windows Vista Unidentifed program wants access

donelder

Have you tried signing with a real authenticode certificate, not a test one.





Re: Security for Applications in Windows Vista Unidentifed program wants access

PAP UK

Not yet. As a reasonably small developer we have not previously used digital signing. We wanted to test that the desired result would be achieved prior to investing in a real certificate.

We have checked the file using signtool as follows.

signtool verify /pa /v testproject.exe

and the result was successful verification.

Paul - PAP UK





Re: Security for Applications in Windows Vista Unidentifed program wants access

donelder

You should sign your installers and executable programs with real certificates, otherwise expect issues with Vista.

At this point you have no way of knowing if your test certificate is the issue. You need a real certificate. Get it, then you can determine what is causing the seemingly incorrect prompt.





Re: Security for Applications in Windows Vista Unidentifed program wants access

waishan

I've been able to sign my app with a test certificate and get Vista to state the company name as opposed to unidentified publisher.

Have you checked the digital signature in the executable's file properties
To check if the signature is valid, go to the file's properties. Under the Digital Signatures tab, in the Signature list, choose to view the details of your signature. Under the General tab at the top, it should say that the digital signature is OK or is not valid. You also need to make sure all the items in the certification path are OK. If not ok, it will state why.




Re: Security for Applications in Windows Vista Unidentifed program wants access

alexk59

If you really know how to achive this with test certificate, please describe it in more details by steps: command line for makecert, command line for sign tool and certificate installation steps. Unfortunately, I have not found any documented steps that approve that it is possible. So far, any resources that describe creation of test certificates (self-signed or coming from Root Agency) doesn't work in Vista.





Re: Security for Applications in Windows Vista Unidentifed program wants access

AndyCadley

Make sure you have installed the certificate in the right Trusted Root Authorities Store, there are both per-user and per-machine stores and you probably want to put it in the per-machine store.



Re: Security for Applications in Windows Vista Unidentifed program wants access

alexk59

Thank you very much, it worked.

Now I am documenting the complete list of commands and steps required to create and install code signing certificate. It WORKS. I used makecert and other tools included in Vista SDK (makecert.exe has file version 6.0.6000.16384, located in C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\), but I think all steps also should work with the same tools included in Visual Studio 2005.

How to create and use code signing certificate on Vista computer (for testing purposes).

1.       Create self-signed root certificate (MyRootCA), use ¡°MYPASSWORD1¡± as a password (you will type it 3 times).

makecert -n "CN=MyName Software  Root Certificate Authority" -r -a sha1 -sv MyRootCA.pvk MyRootCA.cer -sr LocalMachine -ss MyName -sky signature

2.       Create child certificate (MyCodeSigningCA) for code signing, create ¡°MYPASSWORD2¡± as password for new certificate and when you are asked for Issuer Signature, type ¡°MYPASSWORD1¡±.

makecert -sv MyCodeSigningCA.pvk -iv MyRootCA.pvk -n "CN=MyName Software Code Signing CA" -ic MyRootCA.cer MyCodeSigningCA.cer

3.       Create PFX key (use the password ¡°MYPASSWORD2¡±).

pvk2pfx.exe -pvk MyCodeSigningCA.pvk -spc MyCodeSigningCA.cer -pfx MyCodeSigningCA.pfx -po MYPASSWORD2

4.       Optional step.

cert2spc.exe MyCodeSigningCA.cer MyCodeSigningCA.spc

5.       Use your PFX key to sign Test1.exe program.

signtool sign /f MyCodeSigningCA.pfx /p MYPASSWORD2 /v /t http://timestamp.verisign.com/scripts/timestamp.dll Test1.exe

6.       Install MyRootCA.cer  root certificate on Vista computer to LOCAL MACHINE store using Certificates MMC snap-in:

 

a)      Run MMC.EXE on Vista computer (Start, Start Search, type mmc.exe, press Enter). MMC console window appears.

b)      Choose ¡°File¡±, ¡°Add/Remove Snap-in¡± menu command,  the list of snap-ins appears, choose Certificates, choose Add command. The ¡°Certificates snap-in¡± dialog appears, choose [x]¡±Computer account¡± radio button.  ¡°Select computer¡± dialog appears, choose ¡°Local computer¡±.

c)       The ¡°Certificates (Local computer)¡± snap-in node appears in MMC left window.

Select ¡°Certificates (Local computer)¡±-¡°Trusted Root Certification Authorities¡± ¨C ¡°Certificates¡± node.

Choose ¡°All Tasks¡± ¨C ¡°Import¡­¡± context menu command on ¡°Certificates¡± node.

d)      Import your MyRootCA.cer certificate.

¡°MyName Software  Root Certificate Authority¡± will appear in the Trusted Root Certification Authorities certificates list, in ¡°Issued To¡± and ¡°Issued By¡± columns.

e)      Close MMC.

 

Run Test1.exe. Vista should detect the publisher of this EXE file as ¡°MyName Software Code Signing CA¡±.

 





Re: Security for Applications in Windows Vista Unidentifed program wants access

ubba1234

Many thanks to alexk59. I have spent today struggling with the EXACTLY the same problem. Adding the root certificate to the computer via the snap in was the answer. Previously, I had added it via the import certificate screens in internet explorer. Results as follows (for installing my 'test' signed setup exe from a network drive, with VISTA's UAC enabled - as it is by default) :

Root CA cert not installed : 1. First step (certificate check) fails - i.e dialog appears saying "unknown publisher". 2. Click continue anyway, second step (UAC check) fails - another dialog saying unknown publisher.

Add cert via IE7 : 1. First step (certificate check) passes- i.e dialog appears correctly identifying publisher from certificate 2. Click continue , second step (UAC check) fails - another dialog saying unknown publisher.

Remove cert via IE7, add into snap in as per previous step by step guide: 1. First step (certificate check) passes- i.e dialog appears correctly identifying publisher from certificate 2. Click continue , second step (UAC check) passes - again, publisher correctly identified.

So, now I know it is possible to make all these dialogs look less scary for my end users. In return for a big wad of cash. Sigh.





Re: Security for Applications in Windows Vista Unidentifed program wants access

valefar

Same here, thanks a LOT. I have been working on it for the whole day. It looks like MS articles on the subject are not updated at all and they still refer to the signcode tool which is been already replaced by the signtool.exe.

The big step is to create a root certificate on top of which to put the signing certificate in chain. For some reasons I had tried to do this with the makecert.exe but it would give me a "Too many parameters" error.

The certificate setup is not the culprit, either installing it with the mmc or with the Install context menu the result is identical and both work fine.





Re: Security for Applications in Windows Vista Unidentifed program wants access

sudhech

Hi,

I have followed the setup procedure provided above by alexk59 and digitally signed just my setup.exe (wanted to see if this would relieve me of the first "Unidentified Publisher" message) and not digitally signing the program exe .

I have right clicked th exe file and could see the Digital Signatures Tab with "MyName Software Root Certificate Authority" and other details.

But Vista still shows me the "Unidentified Publisher" message for the Installation setup.exe file.

During the course of digitally sigining , I've recieved a "Timestamping was not successfully completed" message.

1)Could this be the cause for the reappearance of the message

2)or Am I missing something here

Do I need to change any User Account Control settings in the Vista Computer in relation to this

3)I am digitally signing the exe in my Windows XP computer and trying to install this digitally signed setup.exe in the Vista Computer.

Please rectify.

Thank You.