What Is an Unknown Publisher Warning & Why Should You Care?
Home » What Is an Unknown Publisher Warning & Why Should You Care?
(3 votes, average: 5.00 out of 5)
Many malicious programs come from unknown or unverified publishers. But why is software from an unknown publisher dangerous? And why should you only download software from trusted publishers?
When you buy or download software, you likely assume that it’s safe. But when an unknown publisher warning pops up on your screen, you quickly realize that’s not always the case. This is why it’s important to only install software that comes from a verified publisher — never one that’s unverified or unknown.
But what is an unknown publisher? And why is knowing who the software publisher is important?
An Unknown Publisher Warning Is Your Computer’s Way of Yelling “Stranger Danger!”
An unknown publisher is a software creator whose identity isn’t verified by your Windows operating system or web browser (e.g., Microsoft Edge). They differ from a verified publisher — someone who takes extra steps to ensure their software and apps are trusted by your device and browser.
Say, a friend sends you a link to their favorite “shareware” website so you can download a cool new free game onto your computer. When you attempt to download the file from an unknown publisher, you might see a warning like this in your browser:
When you attempt to install the application, you’ll see a strange message pop up from your Windows operating system:
This is an example of a Windows User Account Control (UAC) alert that triggers when an application requests access privileges to your device.
This alert is your computer’s way of warning you that the software may not be safe to install and that you must proceed with caution. Another unknown publisher warning message that you might see comes from Microsoft Defender (Windows’ built-in security feature), which looks like this:
A screenshot of a Windows Defender SmartScreen unknown publisher warning message.
Does that mean you should just ignore these messages and install the software anyway? No way! It’s important that you only download and install software that comes from a verified publisher.
But why is installing software from an unknown publisher such a bad idea? Because it puts you at risk of cyber attack and data theft.
Software from Unknown Publishers Puts Your Device’s Health & Security at Risk
If you’re walking along the street and see a piece of candy on the ground, would you pick it up and eat it? Hopefully not! After all, it’s dirty or germy and might make you sick. Instead, it’s best to only eat candy that one of your parents (or someone else you trust) gives to you, or that you buy from the store yourself.
This same concept also applies to computer and internet security, which is why you should only download software from a known, verified publisher. Ignoring a security warning and installing software from an unverified publisher is dangerous (more on that momentarily).
So, what does it look like when you try to install an app from a known (verified) publisher? See the difference by comparing the example we shared earlier to one from a digitally signed software executable that we’ve put side-by-side below:
The first message (left) warns you that the software is requesting access to your device and may be dangerous. The second message (right) still checks whether you want to give the application access to your device, but it also informs you that the company that published the software is legitimate.
Never Just Ignore an Unknown Publisher Warning
The difference between the two is like inviting a stranger into your house versus a friend — one is someone you know and trust while the other is a potential threat. Trust and identity are integral to your personal and digital security.
Giving any untrusted applications access leaves your device open to attack by cybercriminals. They can use malicious software to do any or all of the following:
Steal your username and passwords
Install malware onto your device (and use that as a foot in the door to gain access to your larger network)
Control your device as part of a botnet (a network of infected devices)
Steal personal data they can use to carry out other types of cyber crimes
This is why you must make an informed decision when deciding whether to install software from an unknown or unverified publisher:
Double-check to ensure you’re downloading software from a legitimate source.
Do in-depth research on the software and its publisher to verify it’s legitimate and safe.
Get your parents’ permission to install the application if you’re under 18.
All of this may leave you wondering why some programs are labeled as coming from an “unknown publisher” while others say they’re from a “verified publisher.” The difference is that the software creator undergoes an important background check that verifies their identity.
Verified vs Unknown Publishers: Identity Matters
On the internet, your digital identity is important. It’s like the digital equivalent of your school ID card or a driver’s license — it’s a trusted, verifiable way to prove to others that you’re you and not an imposter.
The process of becoming a verified publisher is kind of like the steps teachers go through to work at a school. Each teacher has to undergo an important background check by a trusted third party (in this case, the school district). This process allows the state to verify that the teacher is who they say they are and that they’re trustworthy enough to teach students.
In much the same way, if a software developer or publisher wants to be trusted by Windows operating systems or the Edge browser, they also have to undergo a background check. But instead of your school district checking out different personal and employment records, another trusted third party (a certificate authority, or CA) checks to make sure the software creator or their company is legitimate.
When the process is complete, and the CA is satisfied that the software creator or company is legitimate, they issue a code signing certificate.
A Code Signing Certificate Is Like an Official Stamp That Says Software Is Trustworthy
A code signing certificate is a digital file that helps software developers gain the trust of browsers, operating systems, and users (like you) by digitally signing their software or firmware. The way it works is that the software creator installs the certificate onto their computer. Whenever they create new software that they want to publish, they create it on that device and then use that certificate to apply something called a digital signature.
We won’t get into all the technical mumbo-jumbo on how digital signatures work, but the takeaway here is that the digital signature makes it so that you know:
The verified identity of the publisher, and
Whether the software has been altered or modified since the software created signed it.
This digital signature is a way for your device’s OS to recognize when something’s been modified. If a bad guy tries to change the code of a digitally signed app, your operating system will recognize that something is wrong and prevent the app from running or display a warning.
Not All Code Signing Certificates Are the Same…
Code signing certificates come with two main levels of verification:
Standard validation — This process results in the issuance of a standard code signing certificate (also known as an organization validation or OV code signing certificate). This verification process involves checking some basic company information (name, location, phone number, etc.).
Extended validation — This more involved identity verification process, which requires a CA to dive into more specific company information, results in the issuance of an EV code signing certificate.
Signing software using either type of code signing certificate requires the private key to be stored on secure hardware. Each code signing certificate’s private key will be generated on a secure hardware token (provided by the issuing CA).
This brings us to our next point: How do you know whether an application is signed by one of these publicly trusted certificates or that the signer is trustworthy? You can check it yourself!
How to Check a Program’s Verified Publisher Details
When you download an application, be sure to check the .exe file’s digital signature and timestamping details before starting the installation process. You can do this through the following steps:
Right-click on the file and select the Properties This will open a window that looks like this:
Next, select the Digital Signatures tab at the top. This new window displays the name of the signer, their email address, and the precise date and time when the software was signed (via timestamping). To move on to the next step, press the Details button:
In the Digital Signature Details window, select the View Certificate button to open a new window. (This next screen will display more in-depth information about the certificate):
Select the Details tab in the top menu and then click the Subject listing in the main window. Here, you’ll see that the certificate was issued to Skype Software Sarl, which is part of Microsoft Corporation, which is based in Redmond, Washington (United States).
You can verify the company information listed in this certificate against the official Microsoft website to verify its legitimacy.
Final Thoughts on Unknown Publisher Warnings
Not all unsigned software is necessarily bad or malicious. However, intentionally bypassing the Windows unknown publisher warning to install software from an unverified publisher can be dangerous and may put your device and data at risk.
It’s our hope that you leave this article with the two following important takeaways:
Users: Only install software applications from trusted, verified publishers.
Software developers/publishers: Only release and distribute software that you’ve signed using a publicly trusted code signing certificate.
Cloud Signing Account Access
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.