Unknown publisher and downloads

I'm not sure if this is the correct places to ask this but I
can't seem to
find a more appropriate venue.

We have an application that we sign with a strong name.

We are using a Setup project to build the installer.

If I double click the .msi on my machine, or copy it over
the network to a
different computer and run it, then it works fine.  No
warning about Unknown
Publisher appears.

However if I copy the file to our ftp server and download
via ftp or http
then when the file is double clicked an Unknown Publisher
warning is
presented.

If the file is compressed, copied up, downloaded, and then
uncompressed the
same error occurs.

I can't figure out what I need to do so that this Unknown
Publisher warning
will not appear when customers download our app from our
website.

Any help is appreciated.

Thanks,
-Mont

===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

The warning isn't about an unknown publisher, it's about the
file came from
an untrusted source.

I'm pretty sure this behavior was new to XP SP2. Download
any potentially
executable file from the internet zone and it gets marked
with an alternate
data stream in NTFS indicating it is untrusted and requiring
user approval.
Right-click your file, go to properties and right on the
first tab (General)
click the "Unblock" button.

If you sign your files, the user will be presented with your
name instead of
"Unknown Publisher" and they can increase their
trust level of your
download.

Adam..

-----Original Message-----
From: Discussion of advanced .NET topics.
[mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On Behalf Of Mont
Rothstein
Sent: Friday, December 07, 2007 3:56 PM
To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
Subject: [ADVANCED-DOTNET] Unknown publisher and downloads

I'm not sure if this is the correct places to ask this but I
can't seem to
find a more appropriate venue.

We have an application that we sign with a strong name.

We are using a Setup project to build the installer.

If I double click the .msi on my machine, or copy it over
the network to a
different computer and run it, then it works fine.  No
warning about Unknown
Publisher appears.

However if I copy the file to our ftp server and download
via ftp or http
then when the file is double clicked an Unknown Publisher
warning is
presented.

If the file is compressed, copied up, downloaded, and then
uncompressed the
same error occurs.

I can't figure out what I need to do so that this Unknown
Publisher warning
will not appear when customers download our app from our
website.

Any help is appreciated.

===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Just so I'm clear, are you saying that it is because it is
downloaded that
it gives an "Unknown Publihser" warning?  Or are
we talking about different
warning?

The dialog says:

(title) Open File - Security Warning
The publisher could not be verified.  Are you sure you want
to run this
software?

Name: (the .msi file name)
Publisher: Unknown Publisher (in bold)
Type: Windows Installer Package
From: (path where the file is)


Assuming that we are talking about the same thing then I
presume you mean
signing our files as something separate from the
"Signing" tab in a VS
project's preferences.  Would you mind pointing me to where
I can get more
info on the signing you are referring to (this is not a
ClickOnce app).

Thanks for the help,
-Mont

On Dec 7, 2007 2:22 PM, Adam Sills <asills.dotnetgmail.com> wrote:

> The warning isn't about an unknown publisher, it's
about the file came
> from
> an untrusted source.
>
> I'm pretty sure this behavior was new to XP SP2.
Download any potentially
> executable file from the internet zone and it gets
marked with an
> alternate
> data stream in NTFS indicating it is untrusted and
requiring user
> approval.
> Right-click your file, go to properties and right on
the first tab
> (General)
> click the "Unblock" button.
>
> If you sign your files, the user will be presented with
your name instead
> of
> "Unknown Publisher" and they can increase
their trust level of your
> download.
>
> Adam..
>
> -----Original Message-----
> From: Discussion of advanced .NET topics.
> [mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On
Behalf Of Mont Rothstein
> Sent: Friday, December 07, 2007 3:56 PM
> To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
> Subject: [ADVANCED-DOTNET] Unknown publisher and
downloads
>
> I'm not sure if this is the correct places to ask this
but I can't seem to
> find a more appropriate venue.
>
> We have an application that we sign with a strong
name.
>
> We are using a Setup project to build the installer.
>
> If I double click the .msi on my machine, or copy it
over the network to a
> different computer and run it, then it works fine.  No
warning about
> Unknown
> Publisher appears.
>
> However if I copy the file to our ftp server and
download via ftp or http
> then when the file is double clicked an Unknown
Publisher warning is
> presented.
>
> If the file is compressed, copied up, downloaded, and
then uncompressed
> the
> same error occurs.
>
> I can't figure out what I need to do so that this
Unknown Publisher
> warning
> will not appear when customers download our app from
our website.
>
> Any help is appreciated.
>
> ===================================
> This list is hosted by DevelopMentor(R)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>

===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Yes. You're talking about this warning dialog:

http://files.surrealization.com/adam/SecurityWarning.jpg


This is caused by an alternate data stream in your NTFS file
that gets put
there by Explorer and Internet Explorer when downloading
executable files
from the internet zone. It has nothing to do with being
unsigned. Note that
my example above is a signed executable and shows the
signer. To see it on
your files, download from the internet, view Properties on
your file and
there will be an "Unblock" button on the General
tab.

http://www.google.com/search?q=a
lternate+data+stream+unblock&rls=com.microso
ft&ie=UTF-
8&oe=UTF-8&startIndex=&startPage=1

There is no way around this security warning when
downloading through
explorer and IE, so get used to it. The only thing you can
do is to increase
your customer trust in your software by signing it so your
name appears in
that box (like my example above).

To sign your file, you need a verifiable code signing
certificate and use
the signtool.exe ("signtool.exe signwizard" from
an SDK command prompt) tool
to sign your file(s). It can also be used from the command
prompt (if I
remember correctly, I don't sign any of my programs ).

Adam..

-----Original Message-----
From: Discussion of advanced .NET topics.
[mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On Behalf Of Mont
Rothstein
Sent: Friday, December 07, 2007 4:50 PM
To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
Subject: Re: [ADVANCED-DOTNET] Unknown publisher and
downloads

Just so I'm clear, are you saying that it is because it is
downloaded that
it gives an "Unknown Publihser" warning?  Or are
we talking about different
warning?

The dialog says:

(title) Open File - Security Warning
The publisher could not be verified.  Are you sure you want
to run this
software?

Name: (the .msi file name)
Publisher: Unknown Publisher (in bold)
Type: Windows Installer Package
From: (path where the file is)


Assuming that we are talking about the same thing then I
presume you mean
signing our files as something separate from the
"Signing" tab in a VS
project's preferences.  Would you mind pointing me to where
I can get more
info on the signing you are referring to (this is not a
ClickOnce app).

Thanks for the help,
-Mont

On Dec 7, 2007 2:22 PM, Adam Sills <asills.dotnetgmail.com> wrote:

> The warning isn't about an unknown publisher, it's
about the file came
> from
> an untrusted source.
>
> I'm pretty sure this behavior was new to XP SP2.
Download any potentially
> executable file from the internet zone and it gets
marked with an
> alternate
> data stream in NTFS indicating it is untrusted and
requiring user
> approval.
> Right-click your file, go to properties and right on
the first tab
> (General)
> click the "Unblock" button.
>
> If you sign your files, the user will be presented with
your name instead
> of
> "Unknown Publisher" and they can increase
their trust level of your
> download.
>
> Adam..
>
> -----Original Message-----
> From: Discussion of advanced .NET topics.
> [mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On
Behalf Of Mont Rothstein
> Sent: Friday, December 07, 2007 3:56 PM
> To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
> Subject: [ADVANCED-DOTNET] Unknown publisher and
downloads
>
> I'm not sure if this is the correct places to ask this
but I can't seem to
> find a more appropriate venue.
>
> We have an application that we sign with a strong
name.
>
> We are using a Setup project to build the installer.
>
> If I double click the .msi on my machine, or copy it
over the network to a
> different computer and run it, then it works fine.  No
warning about
> Unknown
> Publisher appears.
>
> However if I copy the file to our ftp server and
download via ftp or http
> then when the file is double clicked an Unknown
Publisher warning is
> presented.
>
> If the file is compressed, copied up, downloaded, and
then uncompressed
> the
> same error occurs.
>
> I can't figure out what I need to do so that this
Unknown Publisher
> warning
> will not appear when customers download our app from
our website.
>
> Any help is appreciated.
>
> ===================================
> This list is hosted by DevelopMentor(R)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>

===================================
This list is hosted by DevelopMentorR  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com


===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com

Thanks for bearing with me.

I believe I understand it all now.

Thanks,
-Mont


On Dec 7, 2007 3:43 PM, Adam Sills <asills.dotnetgmail.com> wrote:

> Yes. You're talking about this warning dialog:
>
> http://files.surrealization.com/adam/SecurityWarning.jpg

>
> This is caused by an alternate data stream in your NTFS
file that gets put
> there by Explorer and Internet Explorer when
downloading executable files
> from the internet zone. It has nothing to do with being
unsigned. Note
> that
> my example above is a signed executable and shows the
signer. To see it on
> your files, download from the internet, view Properties
on your file and
> there will be an "Unblock" button on the
General tab.
>
>
> http://www.google.com/search?q=a
lternate+data+stream+unblock&rls=com.microso
> ft&ie=UTF-
8&oe=UTF-8&startIndex=&startPage=1
>
> There is no way around this security warning when
downloading through
> explorer and IE, so get used to it. The only thing you
can do is to
> increase
> your customer trust in your software by signing it so
your name appears in
> that box (like my example above).
>
> To sign your file, you need a verifiable code signing
certificate and use
> the signtool.exe ("signtool.exe signwizard"
from an SDK command prompt)
> tool
> to sign your file(s). It can also be used from the
command prompt (if I
> remember correctly, I don't sign any of my programs
).
>
> Adam..
>
> -----Original Message-----
> From: Discussion of advanced .NET topics.
> [mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On
Behalf Of Mont Rothstein
> Sent: Friday, December 07, 2007 4:50 PM
> To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
> Subject: Re: [ADVANCED-DOTNET] Unknown publisher and
downloads
>
> Just so I'm clear, are you saying that it is because it
is downloaded that
> it gives an "Unknown Publihser" warning?  Or
are we talking about
> different
> warning?
>
> The dialog says:
>
> (title) Open File - Security Warning
> The publisher could not be verified.  Are you sure you
want to run this
> software?
>
> Name: (the .msi file name)
> Publisher: Unknown Publisher (in bold)
> Type: Windows Installer Package
> From: (path where the file is)
>
>
> Assuming that we are talking about the same thing then
I presume you mean
> signing our files as something separate from the
"Signing" tab in a VS
> project's preferences.  Would you mind pointing me to
where I can get more
> info on the signing you are referring to (this is not a
ClickOnce app).
>
> Thanks for the help,
> -Mont
>
> On Dec 7, 2007 2:22 PM, Adam Sills
<asills.dotnetgmail.com> wrote:
>
> > The warning isn't about an unknown publisher, it's
about the file came
> > from
> > an untrusted source.
> >
> > I'm pretty sure this behavior was new to XP SP2.
Download any
> potentially
> > executable file from the internet zone and it gets
marked with an
> > alternate
> > data stream in NTFS indicating it is untrusted and
requiring user
> > approval.
> > Right-click your file, go to properties and right
on the first tab
> > (General)
> > click the "Unblock" button.
> >
> > If you sign your files, the user will be presented
with your name
> instead
> > of
> > "Unknown Publisher" and they can
increase their trust level of your
> > download.
> >
> > Adam..
> >
> > -----Original Message-----
> > From: Discussion of advanced .NET topics.
> > [mailto:ADVANCED-DOTNETDISCUSS.DEVELOP.COM] On
Behalf Of Mont Rothstein
> > Sent: Friday, December 07, 2007 3:56 PM
> > To: ADVANCED-DOTNETDISCUSS.DEVELOP.COM
> > Subject: [ADVANCED-DOTNET] Unknown publisher and
downloads
> >
> > I'm not sure if this is the correct places to ask
this but I can't seem
> to
> > find a more appropriate venue.
> >
> > We have an application that we sign with a strong
name.
> >
> > We are using a Setup project to build the
installer.
> >
> > If I double click the .msi on my machine, or copy
it over the network to
> a
> > different computer and run it, then it works fine.
 No warning about
> > Unknown
> > Publisher appears.
> >
> > However if I copy the file to our ftp server and
download via ftp or
> http
> > then when the file is double clicked an Unknown
Publisher warning is
> > presented.
> >
> > If the file is compressed, copied up, downloaded,
and then uncompressed
> > the
> > same error occurs.
> >
> > I can't figure out what I need to do so that this
Unknown Publisher
> > warning
> > will not appear when customers download our app
from our website.
> >
> > Any help is appreciated.
> >
> > ===================================
> > This list is hosted by DevelopMentor(R)  http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com

> >
>
> ===================================
> This list is hosted by DevelopMentorR  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>
> ===================================
> This list is hosted by DevelopMentor(R)  http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com

>

===================================
This list is hosted by DevelopMentorŪ  http://www.develop.com

View archives and manage your subscription(s) at http://discuss.develop.com