1

I have thwte certificate to sign my InstallShield setup. When we updated our certificate this year, it now depends on intermediate certificate "thawte code signing ca - g2".

We fear that many of our customers might not have this intermediate root certificate installed (in fact our own build server did not have it and so build had started to fail after renewing the certificate) and thus they will get the "unverified publisher" error.

What is the best practice to distribute that intermediate certificate? Is there any way to change the certification path so that it just depends on more common "thawte code signing ca"?

I would greatly appreciate any help.

Thanks, Sanjay

Sanjay Singh
  • 714
  • 1
  • 8
  • 15

2 Answers2

1

I finally figured out the issue. It turns out there is an option to include certificate roots in the pfx file when you export it. Following is what i followed on my Windows machine where I had installed the certificate that i got from thawte. 1. Open certificate store from Start->Run->certmgr.msc 2. Export the certificate. 3. Ensure to select to include private key as well. 4. Then you get an option to include root certificates - this is unchecked by default. Check it.

Sanjay Singh
  • 714
  • 1
  • 8
  • 15
0

Micrsoft has a trusted root program that current contains the following memebers:

Windows Root Certificate Program - Members List (All CAs)

For applications distributed to the general public, the best practice is to get a code signing certificate backed up by one of these roots. For internal enterprise applications ( IT, DoD ectera ) you can use others provided that you have a means in place of distributing the roots for your cert. InstallShield cannot currently do this directly but it's possible using custom actions that call CAPI / CAPICOM / .NET X509 classes.

BTW, when you look at the certificate details, look all the way up to the first entry to know who the root is. For example my cert says COMODO Code Signing 2 but then above that it says USERTrust. When I view the USERTrust certificate is says "UTN-UserFirst-Object". That name is then found on the Microsoft web page linked above.

Christopher Painter
  • 54,556
  • 6
  • 63
  • 100
  • Thank you very much Chris for the detailed explanation. So i looked into that link and find "thawte code signing ca-G2" is not listed there. When a user does not have this certificate installed and he tries to look at properties of our setup.exe - He sees "The certificate in the signature cannot be verified". So, even if we do some coding to install the certificate on a custom action, we are not going to fix this particular issue. I guess only option for me now is to get a certificate backed up by any of the ones listed on the above mentioned link? – Sanjay Singh Mar 26 '12 at 11:46
  • If you want it to work on the most machines possible without any intervention, yes. Google "code signing on the cheap" for information related to the provider that I use. – Christopher Painter Mar 26 '12 at 12:29