We deployed a one-click App (C#/.Net) to the local network around a year ago and using a Commodo Code Signing Certificate had zero problems.
The certificate expired a couple of weeks ago so we renewed it, deleted the old cert from Visual Studio (2017 Pro), imported the new certificate and compiled for a new update, published in exactly the same way we've been doing for the last year.
However, when users update this app (and all others we've written) it's tripping the Windows 10 "SmartScreen prevented an unrecognized app from starting" dialog so users are calling support.
When we click on 'more info' it's correctly showing the publisher's name from the certificate.
I called Commodo who were completely unhelpful and said it's a "Microsoft problem" and there is nothing they or we can do about it, which makes a very expensive certificate worthless.
I also looked online and saw other people were also running into this problem but can't find any solutions.
1) Is there anything I could have done wrong in vS2017 when replacing the certificate?
2) Is there anything I can do to 'fix it' to prevent every single employee's PC displaying this dialog every time we do an update for our signed app?
The app is deployed to an SBS 2011 server on the local network and is installed from \\192.168.0.250\Install\Setup.exe (this is what the network admin wanted).
Related
Recently I have had a rather disturbing issue. Seemingly at random I get err_cert_authority_invalid errors from various websites which goes away after about 15 minutes. This is particularly bad for me because one of them is discordapp.com and the discord application suffers the same problem shutting down my ability to use discord at all. The nvidia driver site also had the same problem. I tried this on Chrome, Firefox, and Edge and got the same issue with all three browsers. As far as I know the only cause for this error is when a certificate is signed by an untrusted authority.
Upon examining the certificate data, this is what I discovered:
During the issue
Issuer: Cisco
Issued to: discord.com
Expiry: duration of the cert is only about five days but the current date is always within that five day range
After the issue passes
Issuer: COMODO
Issued to: ssl764977.cloudflaressl.com
Expiry: From May 2020 to End of November 2020
As far as I can tell, they aren't self-signed because issuer and issued-to are different. The expiration date has not passed. The only conclusion is that the issuer isn't trusted. Sadly I don't remember the before/after for the nvidia site (when it happens again, I'll get screenshots).
I was concerned that I may have a virus so I made sure that wasn't the case by doing a full reformat of my computer (it was due for one anyway). The issue still arises. Furthermore, I tried using my laptop and it doesn't experience this issue, although I only tried my laptop for a short time so maybe this intermittent problem just didn't trigger. The only thing I can think of that can be causing this is a Windows security update, but then you would think my google fu would find evidence of others experiencing the same problem right now, which it doesn't. Although there are countless similar issues from various times over decades. How can I discover the source of this problem in an effort to fix it? The problem is occurring a couple of times each day now.
For reference:
Windows 10 x64 build 1909 (No updates required)
Chrome 86.0.4240.111
Firefox 82.0
Microsoft Edge 44.18362.449.0
I have included screenshots of the traceroutes and certs here
Edit 1: Changed causes for error to only the one the comments suggested was the problem.
Edit 2: Included link with screenshots
I think I found the cuplrit. It is my workplace VPN, I forgot to disable it because it just sits hidden in my system tray and it was wreaking havoc with my DNS lookups.
This is my first time trying to deploy a VSTO add-in to a user's system, and I am running into a security barrier. The add-in was built in Visual Studio 2019 Community Edition and is meant to integrate with Microsoft Excel. The user runs Office 365.
On running Setup.exe, user receives the initial confirmation prompt and clicks "Install." A progress bar briefly appears and runs about 25% of the way, then an error message pops up: "Customized functionality in this application will not work because the certificate used to sign the deployment manifest for [the add-in] or its location is not trusted."
I understand that Microsoft would like me to pay for a signing certificate, but I am hoping to get this to work while avoiding that expense.
This article from Microsoft describes the use of a digital certificate as "an optional step": ClickOnce and Authenticode. This article states that an alternative route is for the user to click the "ClickOnce trust prompt" during installation: Grant trust to Office solutions. But as far as I understand the process, it is halted before it even gets to the ClickOnce trust prompt, so the user never gets that option.
For comparison, the user ran the installation on an older system. On that system he received the ClickOnce prompt, approved the software, and the installation ran successfully to the end. This indicates very strongly that the problem on the newer system is a security setting.
I instructed the user to open Excel and go to Options > Trust Center > Trust Center Settings > Add-Ins and remove the check mark from "Require Application Add-Ins to be signed by Trusted Publisher." There was no check mark to begin with, so that setting was not the issue.
I have instructed the user to go to the command prompt and clean out any remnants of the failed install with rundll32 dfshim CleanOnlineAppCache before each new installation attempt.
I'm at a loss as to where to look next. Any help would be much appreciated.
One relatively easy workaround: you pack the "publish" folder as ZIP file, disable any online checks or deployments (in the project settings, select to publish locally, not to a website. Installing from a website or auto-update won't work without normal certificate). Then give your user that ZIP. User downloads that ZIP, then right-click the ZIP file and checks "Unblock". Then unzips and installs normally. Now any certificate should do. This applies if your user downloads your file from the internet.
So the idea is very simple: Just tell your user to click "Unblock" checkbox before extracting files from the ZIP archive you have sent and running them.
Another solution, you simply tell the user's system to trust your "self-signed" developer's certificate (add your certificate to "Trusted Publishers" store on the user computer). For that you need admin rights. Please note that user's admins probably won't like this idea, unless you and your user work in the same organization. Here are the instructions: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
The best and easiest of course would be if you buy a normal code signing certificate. They are not that expensive, you can get one from COMODO (SectiGo) for example for something like $70/year though their resellers.
On the target machine. you need to install and trust the certificate used to sign your addin (see Signing tab of your project options)
What is required for the certification process, is it a quick process? Are they certifying me/ my business or the code??
It is a quick process for the process:
Sign with valid certificate when publishing.
Add the publisher into Trusted Publisher before installing when Macro Settings is a high security level.
Finish installing.
You can obtain a certificate for code signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating digital certificates.
Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).
I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.
All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.
I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.
My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.
Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message
Thanks.
If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.
Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.
Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.
That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.
I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.
Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.
Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)
I think you can get an extended validation code signing either from SYmantec or GLobalsign.
I upgraded to Windows 8 RTM a few weeks ago and yesterday I attempted to create a Windows Store account using my bizspark token. I get the message: "We don't recognize the computer you're using".
This is the same computer I've been using.. As I understand it I was supposed to get an email to confirm this as a new trusted computer when I upgraded. I never did. I have valid emails accounts and a phone number associated with my windows Live account.
In trying to figure it out I "deleted" the listed trusted computers, so that will happen in 30 days but if I click the Cancel the deletion I am taken to a screen that says:
"Use your existing security info to help us make sure this is you. How can we contact you? ", with the only option available being "Use my trusted PC".
I saw somewhere in some forum that Windows Essentials is supposed to help, I downloaded it and ran wlstartup.exe and if I remember correctly I had the option to make this a trusted PC. It made no difference, I'm still not trusted . If I rerun wlstartup it just gives me a dialog that says "Connect your favorite Services" with a Linked In logo. I tried it with no other apps running and logged out of Live and messenger. The file version of wlstartup is: 16.4.3503.728
I've tried devices.live.com , click the "add this computer" link and it takes me to the Essentials download page, which, as mentioned, I've already downloaded and ran.
So basically, I need to make my computer trusted ( again ) so I can get a Windows Store account, and have no idea how.
Anyone else have this problem?
Thansk,
Craig
Did you maybe reinstall windows 8. You need to trust the new PC from the old install, which is impossible, so frustratingly you have to wait 30 days before you can delete the old install and add the new trusted PC.
http://www.windowsitpro.com/article/security/windows-live-trusted-computer-143668
I want to develop an app using Adobe AIR. But I have to sign it using a code signing certificate. I don't wan to buy a code signing certificate. Would it be OK if I distribute my app with a self-signed certificate?
The only difference between using a real certificate and a self-signed certificate is what the user sees in the initial installation dialog. With a real certificated they'll see a yellow "!" and the app will shown to be of "KNOWN" origin, and your company name will be shown. With a self-signed cert, there will be a red "?", and it will say the app's publisher is "UNKNOWN". You can see samples of the two dialogs at the very bottom of this page.
So realistically, it comes down to whether you're okay with people seeing a scary warning at install time. If you're only offering up the apps as a "use at your own risk" thing, or the app will be used mainly by a small group of people who already know who you are (an internal company app, e.g.) that may not be an issue, but if you hope for random internet people to come use your app and trust it, a cert may be a good idea.
That depends on your definition of "OK", but most likely no.
A self-signed certificate will not have been issued by a trusted CA, and your certificate will be considered untrusted by the client. I don't think (but have not tested) that the user is actively prevented from installing an app with an untrusted certificate, but they would at least get a warning, and that doesn't give your user a good first impression of your app.
If it's just for yourself or for a small group of people who know and trust you, then a self-signed certificate is most likely not a problem, but if you're distributing it to the world, you will almost certainly prefer a proper certificate.
I have recently looked into developing an Air App for the company to distribute to customers. On OSX Mavericks - on my mac and my designer's mac a red warning signs pops up stating that we are an unknown publisher - This was using the self signed certificate. The whole process was clunky with the installation, I had to verify that we were legitimate, as this warning sign inferred we were a looking to distribute something underhand.
From a marketing perspective this looked terrible.
In addition to this I managed to find someone to test the whole process of downloading the air app with a self signed cert on windows with an 'average' amount IT skills and this is what they said:
"Nah I didn't download it... it looked like it wanted to put a virus on my computer." And that is where download ended.
Currently we are looking to get some seal of trust on the application for distribution purposes.
Verisign, Thawte look interesting, although costly.
http://www.symantec.com/code-signing/adobe-air
https://www.thawte.com/code-signing/
Or read this page for more information
http://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0.html