Publisher Unknown due to the intermediate ca cert is not signed into PE

[gushengyuan]

I have signed PE files with digicert EV cert using the command below osslsigncode sign -verbose -pkcs11engine C:/Windows/pkcs11.dll -pkcs11module C:/Windows/System32/eToken.dll -h sha256 -ts http://sha256timestamp.ws.symantec.com/sha256/ -pkcs11cert "pkcs11:<key-value pairs>;type=cert" -key "pkcs11:<key-value pairs>;type=private" -pass "xxxxxx" -in D:/01Workspace/CodeSign/demo.exe -out D:/01Workspace/CodeSign/demo2.exe

And then this demo2.exe will be blocked by the Windows/UAC at launch, the UAC says: Publisher: Unknown

Verify the signature using osslsigncode verify -in demo2.exe

Found that there is only 1 certificate in this executable file

Number of certificates: 1
        Signer #0:
                Subject: /C=CN/ST=demo/OU=DEVOPS. Dep./CN=demo
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Code Signing CA-1
                Serial : 06E1BA1FFFFFFF38CC683BD697FFFFFF
                Certificate expiration date:
                        notBefore : Mar 24 00:00:00 2020 GMT
                        notAfter : Mar 29 12:00:00 2023 GMT

That means the digicert intermediate ca is not signed into demo2.exe.

Refer to Code signing with osslsigncode - Publisher Unknown I replace the -pkcs11cert with -certs, and put both the user cert and digicert intermediate ca in one file, and it works for me. osslsigncode verify shows both the user cert and intermediate ca are in demo2.exe.

I tried signing with SignTool, and apparently it works without any problem.

Is it possible for osslsigncode to sign both the user cert and intermediate ca cert like SignTool? Only pass the user cert using the -pkcs11cert parameter.

[mtrojnar]

Is it possible for osslsigncode to sign both the user cert and intermediate ca cert like SignTool? Only pass the user cert using the -pkcs11cert parameter.

osslsigncode signs code, and not certs. You need a CA to sign certs.