Unknown publisher error occurs after signing files with a Code Signing Certificate for Microsoft Authenticode issued after October 10th, 2010

Solution ID:    SO16958    Updated:    03/15/2016

Problem

Unknown publisher error occurs after signing files with a Code Signing Certificate for Microsoft Authenticode.  Error occurs during download process on some devices/client machines

Cause

The Code signing certification path was updated  on October 10th, 2010 to include two intermediate CA's.

This creates two possible certification paths - one terminating at the G5 Root and the other terminating at the G1.3/G1.5 Root (depending on which is installed on the client machine).

The Unknown publisher error can/will occur if the signature on the application only includes the End Entity certificate > G3 Intermediate CA

A signature block that only contains End Entity certificate > G3 Intermediate CA requires the validating device to have the G5 root installed.

Not all client machines or devices have the G5 Root certificate installed.

Solution

For backwards compatibility when validating a signed file the developer that is signing the code must include both intermediate CA's within the signature block.  To ensure that a proper signature is applied to the signed code do the following:

  1. Install both Code Signing Intermediates CA's on the machine used to sign the code - Download the code signing CA's.
     
  2. Disable the G5 Root certificate from the signing machine.
    To disable the G5 Root do the following:
    Locate and Disable  the VeriSign Class 3 Public Primary Certification Authority - G5 Root CA certificate
     
    1. Create a Certificate Snap-In in Microsoft Management Console (MMC)
    2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
    3. Locate the following certificate:
      Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
      Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
      Expiration Date: 7/16/2036
      Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a


       
    4. If this certificate is present, it must be disabled.
    5. Right click the Certificate
    6. Select Properties
    7. In the Certificate purposes section, select  Disable all purposes for this certificate
    8. Click the OK button
    9. Close the MMC - there is no need to save console settings

     
  3. Import the two intermediate certificates previously downloaded:
    • Issued to: VeriSign Class 3 Code Signing 2010 CA
      Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
      Valid from: 2/7/2010 to 2/7/2020
      Serial Number: 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7

      and
       
    • Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
      Issued by: Class 3 Public Primary Certification Authority
      Valid from: 11/7/2006 to 11/7/2021
      Serial Number: 25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
       
     
  4. The Code Signing Certificate for Microsoft Authenticode now has a complete chain of trust.  Please re-sign your files.  
    Note: If you reference a PFX file to sign your files, please the following solution to generate a new PFX file.

Contact Support

Find Answers