Answered Signing Applications with a Trusted Certificate

RobertbNZ

Active member
Joined
Jun 26, 2020
Messages
37
Programming Experience
Beginner
I want to sign my software with a trusted certificate, so that I don't get the steps "Windows Protected your PC" when it is downloaded. How do I do this?

Detail
I am developing software with Visual Studio, and the builds (ClickOnce manifests and assembly) are signed, using a certificate originally created with [Create Test Certificate]. The software can be downloaded and installed with Internet Explorer, and with Edge. Everything works correctly, but the download process includes these steps: -
  1. Windows Protected your PC with a link <More Info> and a button [Don't run]
  2. Click <More Info> to expose [Run Anyway]
  3. Click [Run Anyway]
From [Run Anyway] the software installs and runs correctly. However the extra steps suggest a security issue to my users and I'd like to get rid of them.

Visual Studio, Open Project, Click Signing tab, click [Select Certificate from Store] showed some information and a link <Click here to view certificate properties>. This showed me that the certificate that I was using was not trusted - see Snap 1.

I clicked [Install Certificate] and followed the dialog, selecting the default choices. Now, returning to the Signing tab [More details] shows me the same as Snap 1 except that button [Install Certificate] has disappeared.

Will this fix the "Windows Protected your PC" problem when I next publish the software. or is there something more that I need to do?

Thank you, Robert.

Snap 1

1614216483299.png
 
Where is this application supposed to be installed? If it is on any arbitrary machine, why would such a machine trust a certificate issued by your development machine, given that any hacker with malicious intent could do the same thing? The whole point here is trust. You ought to do some reading about certificates and trusted sources. I can't imagine that the documentation related to ClickOnce publishing doesn't at least touch on this point.
 
As I recall our OP is working in a Corporate environment. Most companies which are Microsoft shops will have Active Directory setup. If that is the case, he can work with his IT department to get a code signing certificate that is trusted within his company.

Otherwise, the other way to get a code signing cert is to pay big bucks for one. It's strange how SSL certs are now dirt cheap, but a code signing cert are still at the same price point they used to be at in the 90's.

As I recall, from the ClickOnce deployment documentation, there is also a way to make the distribution point of the ClickOnce app a trusted location without needing code signing. I just don't recall the details because when I was first considering ClickOnce for a LOB app, the app owners didn't want to go with that distribution route.
 
I'm trying to sell my software around the world, so there is potentially an insurmountable trust issue anyway. Let's suppose that I had a trusted code signing cert issued to Jazz Software Ltd. Neither a SSL Cert turning http into https , nor a code signing certificate on the downloaded software, guarantee that the web site or the software is not delivering malware. An SSL cert only guarantees that malware can't be inserted into the messages between the web site and the recipient but doesn't guarantee that I didn't insert malware into the web site, and a code signing certificate guarantees that the software hasn't changed since it was published, but doesn't guarantee that I didn't insert malware into the software. So even an untrusted certificate does that. My marketing is building up the trust needed to get people to evaluate the software, and I'd still like to avoid the appearance of lack of trust. So how do I get a code signing certificate issued to Jazz Software? Without spending a fortune: Jazz Software Ltd is currently just me, and it doesn't have an income flow (yet - I hope this changes soon) so I'm not wanting to spend big bucks.

I've read as widely as I could about publishing software, but I've obviously missed some key references. I'd appreciate some helpful links.

Thank you, Robert Barnes
 
Back
Top Bottom