Do you sign your Windows Installer with signtool's /ac option?

Hey everyone,

I got a Code Signing certificate from comodo to sign my installers on Windows and avoid producing the Authenticode’s warning for Unknown Publisher.

I’ve implemented the signing in my build (it’s a double-signing to get the broadest support of Windows versions, executed with signtool v6.3 as per described here).

The issue I am having is that on Windows 7 and Vista (and maybe other places as well), when I first open the installer - it sometimes says Unknown Publisher. If I go in the properties of the file and inspect the certificate (it always says “certificate is OK”), then consecutive run of the installer shows the identified publisher.

In this thread and this thread, people say that signtool’s /ac option should be used (passing the AddTrustExternalCARoot.crt file path), but almost all of them say it should be required only for driver signing.

Have you dealt with this and how do you resolve it? Having the installer say Unknown Publisher in half of the runs, kind of beats the purpose of this certificate.

Have an amazing New Year’s party, tonight! Cheers!

We’re code signing. never investigated it that much. but it does work fine on Windows 7.
(we don’t test Vista).

Only thing you should double-check is your binary is on local media.
If it’s on network (most Virtualization software out there will also mount your actual machine as network). then it would trigger a warning anyway.

Yeah, I am copying it to the vm’s drive before running the installer.

At first I thought that copying it may somehow damage the signature (I think I’ve seen such issue on OS X), but that’s not it.

I wonder if it is an issue with the way Windows retrieves the root CA certificate (hence the inclusion through signtool’s /ac option). Do you have an idea how does Windows resolve the CA on a fresh install of the OS?