I build and sign an MSI (using WiX).
If I copy it to my Win8 machine, it works perfectly.
If I gmail it then download it on the Win8 machine, I get "Windows protected your PC" - "Run anyway" or "Don't run". This is my main question for which I cannot find answers: How does it know whether this came from a copy or it's downloaded.
I am investigating this because when I sign with a timestamp server, this popup (only when downloaded from gmail) is actually saying unknown publisher even though everywhere else things look couth.
Simple: It uses Alternate Data Streams (ADS), in particular an ADS called Zone.Identifier
For more info, see this.
If you are getting "Unknown Publisher", your package is likely not signed or the signature is not trusted. The verification only happens for packages downloaded from the internet, so the fact it does not prompt you otherwise is not indicative of a successful signature.
The detection of whether the package is downloaded from the internet happens via the Mark-of-the-web, which, as #JohannesKuhn pointed out, is implemented with an alternate stream named Zone.Identifier.
See this msdn blog for more information about MSI signing
Related
Greetings good people of stackoverflow.
I have made an msi-installer with WIX and some custom actions built in C#. The main reason for this installer is that the original software package we want to silently install, doesn’t support this in a good way. To circumvent this issue, I extracted the files needed and put them in my own installer.
The software itself is an HMI/SCADA system containing two main types: Server and client runtimes. My focus is on the client side. This is needed to run projects made in the SCADA “IDE”.
So, my package installs the client-side SCADA, the project and my custom action creates an ODBC-connection.
The client runtime installs in the exact folders as it would have been with the original MSI i.e in C:\ProgamFiles. The SCADA client project installs in C:\ProgramData. The custom action creates an ODBC using C# and Registry.LocalMachine. The custom action also makes some changes to some textfiles in the SCADA client project in ProgramData.
The installation works well when it’s running from command prompt with “msiexec /quiet /i “Installerproject.msi”.
With all this in mind, there is one customer with an IT department that uses this package to roll out on its user’s machines. They get stuck in SmartScreen and must manually push “Run anyway”. The message is:
Microsoft Defender SmartScreen prevented an unrecognised app from
starting, Running this app might put your PC at risk.
App: “My installer name”
Publisher: Unknown.
I’ve tried use this installer on virtual machines and only with command prompt, and it doesn’t show this message.
I’m not sure what to do. Is the only way to use EV certs? Even if the original software is issued as a trusted publisher? What’s your take on this? I really need some guidance.
Best regards
Thanks Scaler for the nudge to the right direction. I have signed the installer with a CodeSigning certificate.
This is my first time trying to deploy a VSTO add-in to a user's system, and I am running into a security barrier. The add-in was built in Visual Studio 2019 Community Edition and is meant to integrate with Microsoft Excel. The user runs Office 365.
On running Setup.exe, user receives the initial confirmation prompt and clicks "Install." A progress bar briefly appears and runs about 25% of the way, then an error message pops up: "Customized functionality in this application will not work because the certificate used to sign the deployment manifest for [the add-in] or its location is not trusted."
I understand that Microsoft would like me to pay for a signing certificate, but I am hoping to get this to work while avoiding that expense.
This article from Microsoft describes the use of a digital certificate as "an optional step": ClickOnce and Authenticode. This article states that an alternative route is for the user to click the "ClickOnce trust prompt" during installation: Grant trust to Office solutions. But as far as I understand the process, it is halted before it even gets to the ClickOnce trust prompt, so the user never gets that option.
For comparison, the user ran the installation on an older system. On that system he received the ClickOnce prompt, approved the software, and the installation ran successfully to the end. This indicates very strongly that the problem on the newer system is a security setting.
I instructed the user to open Excel and go to Options > Trust Center > Trust Center Settings > Add-Ins and remove the check mark from "Require Application Add-Ins to be signed by Trusted Publisher." There was no check mark to begin with, so that setting was not the issue.
I have instructed the user to go to the command prompt and clean out any remnants of the failed install with rundll32 dfshim CleanOnlineAppCache before each new installation attempt.
I'm at a loss as to where to look next. Any help would be much appreciated.
One relatively easy workaround: you pack the "publish" folder as ZIP file, disable any online checks or deployments (in the project settings, select to publish locally, not to a website. Installing from a website or auto-update won't work without normal certificate). Then give your user that ZIP. User downloads that ZIP, then right-click the ZIP file and checks "Unblock". Then unzips and installs normally. Now any certificate should do. This applies if your user downloads your file from the internet.
So the idea is very simple: Just tell your user to click "Unblock" checkbox before extracting files from the ZIP archive you have sent and running them.
Another solution, you simply tell the user's system to trust your "self-signed" developer's certificate (add your certificate to "Trusted Publishers" store on the user computer). For that you need admin rights. Please note that user's admins probably won't like this idea, unless you and your user work in the same organization. Here are the instructions: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
The best and easiest of course would be if you buy a normal code signing certificate. They are not that expensive, you can get one from COMODO (SectiGo) for example for something like $70/year though their resellers.
On the target machine. you need to install and trust the certificate used to sign your addin (see Signing tab of your project options)
What is required for the certification process, is it a quick process? Are they certifying me/ my business or the code??
It is a quick process for the process:
Sign with valid certificate when publishing.
Add the publisher into Trusted Publisher before installing when Macro Settings is a high security level.
Finish installing.
You can obtain a certificate for code signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating digital certificates.
Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).
My app is rejected by
2.3 Apps that do not perform as advertised by the developer will be rejected
It said that the file copied into "~/Library/Fonts" failed.
It works when test by myself, I find that it will get permission fail when using the sandbox mode, did Apple reviewer will accept this feedback?
thanks
Apps must work in the sandbox no exceptions allowed.
A sandboxed application cannot write to ~/Library/Fonts.
Either store the font in the app bundle and use it from there, or put up a standard file dialog asking the user to grant permission to write to ~/Library/Fonts by selecting it.
If you get stuck doing either of those ask a specific question on them showing what you've tried. Such a question is unlikely to be seen as off topic.
HTH
I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.
All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.
I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.
My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.
Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message
Thanks.
If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.
Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.
Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.
That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.
I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.
Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.
Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)
I think you can get an extended validation code signing either from SYmantec or GLobalsign.
I upgraded to Windows 8 RTM a few weeks ago and yesterday I attempted to create a Windows Store account using my bizspark token. I get the message: "We don't recognize the computer you're using".
This is the same computer I've been using.. As I understand it I was supposed to get an email to confirm this as a new trusted computer when I upgraded. I never did. I have valid emails accounts and a phone number associated with my windows Live account.
In trying to figure it out I "deleted" the listed trusted computers, so that will happen in 30 days but if I click the Cancel the deletion I am taken to a screen that says:
"Use your existing security info to help us make sure this is you. How can we contact you? ", with the only option available being "Use my trusted PC".
I saw somewhere in some forum that Windows Essentials is supposed to help, I downloaded it and ran wlstartup.exe and if I remember correctly I had the option to make this a trusted PC. It made no difference, I'm still not trusted . If I rerun wlstartup it just gives me a dialog that says "Connect your favorite Services" with a Linked In logo. I tried it with no other apps running and logged out of Live and messenger. The file version of wlstartup is: 16.4.3503.728
I've tried devices.live.com , click the "add this computer" link and it takes me to the Essentials download page, which, as mentioned, I've already downloaded and ran.
So basically, I need to make my computer trusted ( again ) so I can get a Windows Store account, and have no idea how.
Anyone else have this problem?
Thansk,
Craig
Did you maybe reinstall windows 8. You need to trust the new PC from the old install, which is impossible, so frustratingly you have to wait 30 days before you can delete the old install and add the new trusted PC.
http://www.windowsitpro.com/article/security/windows-live-trusted-computer-143668