#3082 Signed installer gives "Unidentified publisher" errors

future
migrated
nobody
burn (480)
2013-08-21
2012-09-10
No

I've got a fully reproducible issue with signed installers. I've properly signed my installer using MSBuild tasks according to WiX documentation. I've then copied the installer to local disk on a virtual machine with fresh Vista SP2 installation. The VM has an Internet connection and it has been fully updated. When I run the installer and I get to the point of privilege elevation, I get "Unidentified Publisher" message.

The problem doesn't manifest when running the installer directly from network share. It doesn't happen when the installer is downloaded from Internet either. It also doesn't happen with plain MSI files. It's specific to Burn installers started from local disk that got to the machine without triggering separate certificate validation (e.g. via copy from network share).

Apparently Vista and Windows 7 install root certificates on-demand when they need to verify an application. Fresh Vista/7 contains next to no root certificates. Running from Internet or from network share triggers signature verification which in turn triggers download of the root certificate. There's no such verification when starting executables from local disk, which means it's up to Burn to trigger the root certificate download before running its embedded engine. Apparently Burn either doesn't trigger such verification or triggers it incorrectly. It somehow manages to run the embedded burn engine without triggering root certificate update. Burn engine is then reported as unsigned due to broken certificate chain.

Discussion

  • Rob Mensching

    Rob Mensching - 2012-09-10

    That dialog box is the UAC prompt and comes from Windows. Burn is not involved in the display nor the verification of the executable at that point. Burn simply launches the new process via ShellExecute() with "runas" so the UAC prompt will be displayed (otherwise the proces execution fails).

    I suppose it is possible that UAC does not download certificates as you suggest but wouldn't know for sure.

     
  • Rob Mensching

    Rob Mensching - 2013-08-21
    • Status: open --> migrated
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks