What Is an Unknown Publisher Warning & Why Should You Care?
Home » What Is an Unknown Publisher Warning & Why Should You Care?
(3 votes, average: 5.00 out of 5)
Many malicious programs come from unknown or unverified publishers. But why is software from an unknown publisher dangerous? And why should you only download software from trusted publishers?
When you buy or download software, you likely assume that it’s safe. But when an unknown publisher warning pops up on your screen, you quickly realize that’s not always the case. This is why it’s important to only install software that comes from a verified publisher — never one that’s unverified or unknown.
But what is an unknown publisher? And why is knowing who the software publisher is important?
An Unknown Publisher Warning Is Your Computer’s Way of Yelling “Stranger Danger!”
An unknown publisher is a software creator whose identity isn’t verified by your device’s operating system (such as Windows or MacOS) or web browser (like Google Chrome). They differ from a verified publisher, who is someone that takes extra steps to ensure their software and apps are trusted by your device and browser.
Say, a friend sends you a link to their favorite “shareware” website so you can download a cool new free game onto your computer. When you attempt to download the file from an unknown publisher, you might see a warning like this in your browser:
When you attempt to install the application, you’ll see a strange message pop up from your Windows operating system:
This is an example of a Windows User Account Control (UAC) alert that triggers when an application requests access privileges to your device.
This alert is your computer’s way of warning you that the software may not be safe to install and that you must proceed with caution. Another unknown publisher warning message that you might see comes from Microsoft Defender (Windows’ built-in antivirus program), which looks like this:
A screenshot of a Windows Defender SmartScreen unknown publisher warning message.
Does that mean you should just ignore these messages and install the software anyway? No way! It’s important that you only download and install software that comes from a verified publisher.
But why is installing software from an unknown publisher such a bad idea? Because it puts you at risk of cyber attack and data theft.
Software from Unknown Publishers Puts Your Device’s Health & Security at Risk
If you’re walking along the street and see a piece of candy laying on the ground, would you pick it up and eat it? Hopefully not! After all, it’s dirty or germy and might make you sick. Instead, it’s best to only eat candy that one of your parents (or someone else you trust) gives to you, or that you buy from the store yourself.
This same concept also applies to computer and internet security — and this is why you should only download software that comes from a known, verified publisher. Ignoring a security warning and installing software from an unverified publisher is dangerous (more on that momentarily).
So, what does it look like when you try to install an app from a known (verified) publisher? Do you see the difference between the example above and the ones we shared earlier?
A side-by-side comparison of two Windows UAC warning messages. The left message displays an unknown publisher warning, whereas the right message displays a verified publisher notification.
The first message warns you that the software may be dangerous and is requesting access to your device. The second message still checks whether you want to give the application access to your device, but it also informs you that the company that published the software is legitimate.
Never Just Ignore an Unknown Publisher Warning
The difference between the two is like inviting a stranger into your house versus a friend — one is someone you know and trust while the other is a potential threat. Trust and identity are integral to your personal and digital security.
Giving any untrusted applications access leaves your device open to attack by cybercriminals. They can use malicious software to:
Steal your username and passwords,
Install malware onto your device,
Control your device as part of a botnet (a network of infected devices), or
Steal personal data they can use to carry out other types of cyber crimes.
This is why you must make an informed decision when deciding whether to install software from an unknown or unverified publisher:
Double-check to ensure you’re downloading software from a legitimate source.
Do in-depth research on the software and its publisher to verify it’s legitimate and safe.
Talk with your parents and get their permission to install the application if you’re under 18.
All of this may leave you wondering why some programs are labeled as coming from an “unknown publisher” while others say they’re from a “verified publisher.” The difference boils down to the software creator undergoing an important background check that verifies their identity.
Verified vs Unknown Publishers: Identity Matters
On the internet, your digital identity is important. It’s like the digital equivalent of your school ID card or a driver’s license — it’s a trusted, verifiable way to prove to others that you’re you and not an imposter.
The process of becoming a verified publisher is kind of like the steps teachers go through to work at a school. Each teacher has to undergo an important background check by a trusted third party (in this case, the school district). This process allows the state to verify that the teacher is who they say they are and that they’re trustworthy enough to teach students.
In much the same way, if a software developer or publisher wants to be trusted by Windows operating systems or major browsers like Chrome and Firefox, they also have to undergo a background check. But instead of your school district checking out different personal and employment records, another trusted third party (a certificate authority, or CA) checks to make sure the software creator or their company is legitimate. When the process is complete, and the CA is satisfied that the software creator or company is legitimate, they issue a code signing certificate.
A Code Signing Certificate Is Like an Official Stamp That Says Software Is Trustworthy
A code signing certificate is a digital file that helps software developers gain the trust of browsers, operating systems and users (like you) by digitally signing their software or firmware. The way it works is that the software creator installs the certificate onto their computer. Whenever they create new software that they want to publish, they create it on that device and then use that certificate to apply something called a digital signature.
We won’t get into all the technical mumbo-jumbo on how digital signatures work, but the takeaway here is that the digital signature makes it so that you know:
The verified identity of the publisher, and
Whether the software has been altered or modified since the software created signed it.
This digital signature is a way for your device’s OS to recognize when something’s been modified. If a bad guy tries to change the code of a digitally signed app, your operating system will recognize that something is wrong and prevent the app from running or display a warning.
Not All Code Signing Certificates Are the Same…
Code signing certificates come with two main levels of verification:
Standard validation — This process results in the issuance of a standard code signing certificate (also known as an organization validation or OV code signing certificate). This verification process involves checking some basic company information (name, location, phone number, etc.).
Extended validation — This process, which is more involved process and requires a CA to dive into more specific company information, results in the issuance of an EV code signing certificate. Signing software using this type of certificate requires using a special piece of hardware that proves the signer’s identity.
The main difference between the two certificates lies in inherent trust for the Windows Defender SmartScreen messages. Trying to install software that’s signed by a lesser-known publisher will result in a Microsoft Defender SmartScreen security message popping up. But software that’s signed by an EV code signing certificate is trusted immediately, so it won’t trigger this warning message.
This brings us to our next point: How do you know whether an application is signed by one of these certificates or that the signer is trustworthy? You can check it yourself!
How to Check a Program’s Verified Publisher Details
When you download an application, be sure to check the .exe file’s digital signature and timestamping details before starting the installation process. You can do this through the following steps:
Right-click on the file and select the Properties This will open a window that looks like this:
Next, select the Digital Signatures tab at the top. This new window displays the name of the signer, their email address, and the precise date and time when the software was signed (via timestamping). To move on to the next step, press the Details button:
In the Digital Signature Details window, select the View Certificate button to open a new window. (This next screen will display more in-depth information about the certificate):
Select the Details tab in the top menu and then click the Subject listing in the main window. Here, you’ll see that the certificate was issued to Skype Software Sarl, which is part of Microsoft Corporation, which is based in Redmond, Washington (United States).
You can verify the company information listed in this certificate against the official Microsoft website to verify its legitimacy.
Final Thoughts on Unknown Publisher Warnings
Not all unsigned software is necessarily bad or malicious. However, intentionally bypassing the Windows unknown publisher warning to install software from an unverified publisher can be dangerous and puts your device and data at risk. It’s our hope that you leave this article with one important takeaway: only install software applications from trusted, verified publishers.
Cloud Signing Account Access
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
