The publisher could not be verified. Are you sure you want to run this software ?

We run our own application through a share as follows:

     \\server\share\app.exe /cmdline

At one site we get this windows security warning...

       'The publisher could not be verified. Are you sure you want to run this software'

Now we tried adding a version/manufacturer stamp to the exe through the c compiler - but that doesnt fix it. At the site where the warning is produced the server is in the domain, and the problem even happens when you try it from the server itself (doesnt happen when you do c:\share\app.exe but does through the share as above)

Questions.

1. How easy is it to get an EXE stamped with a digital signature
2. Any way of stopping this warning message without access to GP, and without adding the share to trusted sites on each computer ?

thanks
Paul

LVL 8
plqAsked:
Who is Participating?
 
rbvoigtCommented:
It is possible to tighten settings on the Trusted Sites zone to block unsigned apps as well... use the Internet Tools dialog to configure.
0
 
Dariusz DziaraProgrammerCommented:
Do you mean authenticode ?

I am not sure about details but:

> 1. How easy is it to get an EXE stamped with a digital signature

There are some utlility applications used in signing procedure.
You will have to acquire certificate from Certification Authority like Verisign or Thawte.
In general technically it is quite simple procedure.

see this:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/creating_viewing_and_managing_certificates.asp

============================
http://www.mvps.org/marksxp/WindowsXP/SP2/common.php#publisher

"After downloading a program from the Internet I am shown a message saying 'The publisher could not be verified. Are you sure you want to run this software?'

This message is shown when you download an application from the Internet and the publisher of the software has not digitally signed the application. This does not necessarily mean the file is a fake or virus but files which come from large companies such as Microsoft should be signed so you can be certain of their origin. "

I found this suggestion to disable such warning - Windows XP SP 2

http://www.teamsoftwaresolutions.com/phpBB2/viewtopic.php?p=2175&
(see below)
********
To disable this dialog set or add the following string in the Windows Registry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".exe"
********
0
 
plqAuthor Commented:
thanks for this.

Do you think that creating a certificate on a local 2003 box and then running it through sign.exe would stop the error ? I'm wondering if there's a reason for having thwate or verisign certs as opposed to generating your own ?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
plqAuthor Commented:
Also we don't want the exe to load more slowly because its code is encrypted ! It must perform 100%. I'm thinking certifying an exe would slow down its opening process ? exe is 80kb
0
 
Dariusz DziaraProgrammerCommented:
Certificates for Verisign or Thawte are build-in operating system. You can use own certificates but you will have register your Certification Authority on every machine you want to use it.
It will then appear in Internet Explorer:
Tools->Internet Options...
tab "Content" button "Certificates" and then tab "Root Trusted Certification Authorities"
0
 
Dariusz DziaraProgrammerCommented:
"Also we don't want the exe to load more slowly because its code is encrypted".
I think that signing code doesn't implies encryption (I won't give my head).
It is only to show who has published executable & that nobody tampered with it later.
0
 
r-kCommented:
Yes, that's correct. Signing the code does not encrypt or slow it down (other than the initial overhead of checking the signature).
0
 
plqAuthor Commented:
One more question..

How can I get my systems to reproduce the problem. When I download the file from a webserver and just run it, it runs first time without warning. I have domain and non-domain test environments ????

thanks
0
 
rbvoigtCommented:
Creating your own certificate using server 2003 and signing with sign.exe is the best option.  Make sure you do the advanced usage... certificate for code signing thing, by default you get an SMIME certificate.  The user will still be prompted once, but by checking the "always trust from YourCompany" box they'll never be asked again.  Or, you can add yourself to the Trusted Publishers list by doing a push through SMS.

The reason for the prompt is, when using a UNC path, your program is running in the Local intranet zone instead of My computer zone.  You could also adjust the settings for the Local intranet zone (in Internet Explorer).... but don't mark .exe "low-risk" or you'll be infected by every worm on the internet.
0
 
plqAuthor Commented:
Thanks for this. Any ideas why it doesn't happen on my local network ? or how to change settings to make it happen ?
0
 
itsmeandnobodyelseCommented:
>>>> Any ideas why it doesn't happen on my local network ?

Didn't you read the last comment of rbvoigt? The local network runs in the 'My computer zone' which has different security limitations.

>>>> or how to change settings to make it happen ?

You could try to define a local mapping by

    net use x: \\server\share

or

    subst x: \\server\share

what should work if 'x' isn't used and the current user has permission (normally via domain login) and run the app from x:\ after that.

You could make it programmatically by using the system call:

   #include <process.h>
   ...

   system("net use x: \\\\server\\share");

Note, you need to duplicate \ character if used in a literal.

Regards, Alex
0
 
plqAuthor Commented:
>> Didn't you read the last comment of rbvoigt? The local network runs in the 'My computer zone'

Yes. Even when I run from domain server across to workgroup pc it works ok on our network. The site where the problem happens is running on a local network with client and server inside the same domain. What I need to get to is being able to make the problem happen on my local network so I can experiment with different settings etc.

At the site where the problem happens we added \\server\share as a trusted site and the problem did not go away
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.