Problems with New Code Signing Cert

I’ve been using a Comodo code signing cert to sign my company’s Windows executables and installs for the last few years without any problems; .pvk and .spc files were generated after receiving the original cert, and these were applied via X2NetSignCode.exe as part of the build process.

Recently the cert we’d been using expired, so a new one was purchased, .pvk and .spc files re-extracted, and we tried to carry on as before.

However, while everything looks like it’s worked at file level (the cert shows up in the signed files’ “Digital Signature” tab, has the correct dates for validity, and has a status of OK), when you run a signed install under a clean Windows 7 VM it comes up with “Unknown publisher” in the “Are you sure?” dialog. However, bring up the cert details for the installer file and try to run it again, and you get the correct company name listed.

Comparing an old file signed with the original cert to a new one, the only difference I can see (other than expected ones for dates, serial numbers, etc…) is that the old file’s certification path only has two items; USERTrust at the top and our code signing cert directly under it. A file signed with the new cert has an intermediate “COMODO Code Signing CA 2” item between USERTrust and our cert.

Any suggestions for the cause of this new behaviour (and how to stop it!) would be very welcome!

For anyone else that runs into this, problem solved. The mistake I’d made was at the very first stage, when exporting the new cert from my local Windows into a .pfx file - I’d failed to set the “Include all certificates in the certification path if possible” flag.

Export with the flag set, redo the conversion to .pvk/.spc, and the publisher of signed installation files is correctly identified from the outset.