We have purchased a Code Signing Certificate from GoDaddy, signinged our software, but when I'm trying to install the app - it still says "unknown publisher" and antivirus and firewall are axing the install. I have re-keyed the certificate and went through the entire process four times as of today. I have no problems or errors throughout the process and successfully sign the setup.exe with signtool. What do I do wrong?
Here's how I do it:
I re-key GoDaddy-issued certificate with CSR generated with my PC, checking "Make my private key exportable" as per these instructions: https://www.ssltrust.com.au/help/setup-guides/code-signing-certificates
I test my CSR using this GoDaddy CSR test tool: https://ssltools.godaddy.com/views/csrDecoder - everything Ok
I submit CSR to GoDaddy, re-key my cerificate and download new .pem and .spc
I Import the .spc file with MMC->certmgr and export .pfx as per these instructions: https://ca.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698?locale=en
In Visual Studio, I publish unsigned application as per these instructions: https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-sign-setup-files-with-signtool-exe-clickonce?view=vs-2019
I sign setup.exe with signtool as per these instructions:https://ca.godaddy.com/help/signtool-sign-windows-code-with-a-code-signing-certificate-4778?locale=en
In cmd I run:
C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool>signtool sign /f C:\Users\plvan\Desktop\cert\key.pfx /p MyStrongPwd /tr http://tsa.starfieldtech.com /td SHA256 c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
The command is a success:
Done Adding Additional Store Successfully signed: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
If I run 'verify'
C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool>signtool verify /v /pa c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
the result is:
Verifying: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 90941E5E4178D58CCAC2FA750C861F63440B90A7
Signing Certificate Chain:
Issued to: Starfield Root Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
Issued to: Starfield Secure Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 7EDC376DCFD45E6DDF082C160DF6AC21835B95D4
Issued to: Matrioshka Ltd.
Issued by: Starfield Secure Certificate Authority - G2
Expires: Tue Sep 28 14:19:47 2021
SHA1 hash: 5941FE2F9BC8FA31102EAB994F91AE2CEDC1FF34
The signature is timestamped: Thu Oct 01 19:02:04 2020
Timestamp Verified by:
Issued to: Starfield Root Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires: Thu Dec 31 16:59:59 2037
SHA1 hash: B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
Issued to: Starfield Secure Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires: Sat May 03 00:00:00 2031
SHA1 hash: 7EDC376DCFD45E6DDF082C160DF6AC21835B95D4
Issued to: Starfield Timestamp Authority - G2
Issued by: Starfield Secure Certificate Authority - G2
Expires: Tue Sep 09 00:00:00 2025
SHA1 hash: 7280A5FCD8DFE11F01FE8601B15EC41A376F05E2
Successfully verified: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
I suspect that I've done everything right, but the certificate itself is the problem. I called GoDaddy and they said there's no problems on their end. Any ideas?