In short
The "Unknown Publisher" warning appears when Windows can't confirm who created a program — either because the file isn't digitally signed, or because its signature is broken, expired, revoked, or from a certificate Windows doesn't trust. Signing the file with a valid code signing certificate from a trusted authority replaces "Unknown Publisher" with your verified organization name in that prompt. It's a separate problem from the SmartScreen "unrecognized app" warning, which is about download reputation rather than identity — so fixing one doesn't automatically clear the other.
If you've watched a user hesitate at the yellow prompt that calls your software "Unknown Publisher," you already know the cost: hesitation, support tickets, and the occasional abandoned install. The fix is more direct than most of the advice online suggests. Windows shows that warning because it can't verify who stands behind the file, and the answer is to give it a verifiable identity. My-SSL issues OV and EV code signing certificates that put your verified company name in the Windows prompt instead of "Unknown Publisher." The rest of this guide covers exactly what triggers the warning, why it sometimes survives signing, and how it differs from the SmartScreen warning it's constantly confused with.
What triggers the warning
Windows shows "Unknown Publisher" whenever it's about to run an executable — usually an installer or a program asking for administrator rights — and can't tie that file to a verified identity. In practice, that comes down to one of two situations: the file carries no digital signature at all, or it has a signature Windows won't accept. Either way, the prompt is Windows saying it doesn't know who to hold responsible for the code.
You'll meet it most often in the User Account Control (UAC) dialog — the elevation prompt that asks whether to let an app make changes to your device — and in the older "Open File - Security Warning" box that appears when you run something downloaded from the internet. In both, a signed program shows a named, verified publisher, while an unverified one falls back to the "Unknown Publisher" label.
The specific triggers are worth naming, because "just sign it" doesn't cover all of them:
- No signature at all. The build never ran a signing step, so there's nothing for Windows to check. This is the most common case for in-house tools and first releases.
- A broken signature. The file was signed, then edited, repacked, or patched afterward, so its contents no longer match the signed hash.
- An untrusted certificate. The file is signed, but with a self-signed or private certificate that other machines have no reason to trust.
- An expired or revoked certificate. The certificate was valid once but has lapsed or been pulled, and without a timestamp the signature lapses with it.
'Unknown Publisher' vs the SmartScreen warning
These are two separate warnings with two separate causes, and mixing them up is why so many fixes disappoint. The "Unknown Publisher" prompt is about identity: it asks whether the file is signed by someone Windows can verify. SmartScreen's "Windows protected your PC" message is about reputation: it asks whether this exact file has been downloaded and run enough to be treated as known-good. A certificate answers the first question. Nothing but time and safe usage answers the second.
That distinction has a practical edge. Sign a brand-new installer and the UAC dialog will proudly show your company name — no more "Unknown Publisher" — yet the same download can still hit a SmartScreen screen on its first day, because reputation starts from zero for every new file. If the warning you're fighting is the full-screen blue "unrecognized app" one, our guide to how SmartScreen publisher reputation works explains what actually clears it. This article stays on the identity side: the yellow "Unknown Publisher" label.
How a code signing certificate fixes it
Code signing attaches two things to your file: a cryptographic hash of its contents and a digital signature made with a private key that belongs to a certificate a certificate authority issued to your verified organization. When Windows runs the file, it recomputes the hash, checks the signature, and follows the certificate up to a root it already trusts. If all three hold, the "Unknown Publisher" label is replaced by the name the CA confirmed — so the fix is identity, delivered cryptographically.
The mechanics matter because of where the private key has to live. Since June 1, 2023, every publicly trusted code signing key must be generated and held on certified hardware — a qualifying token or HSM — or in a certified cloud signing service, and it can't be exported as a plain file. That raised the floor on security, and it's why a modern certificate ships as a cloud signing session or a hardware token rather than a downloadable .pfx. My-SSL issues both OV and EV code signing certificates with cloud signing through SimplySign, so you can sign without shipping a physical token around the team.
Signing itself is a single command once the certificate is in place. On Windows, that's SignTool with a SHA-256 file digest and an RFC 3161 timestamp; our step-by-step SignTool guide walks through the exact invocation and how to verify the result before you ship.
Why it can still appear after you sign
A signature Windows can't fully validate is treated as no signature at all, so a signed file can still show "Unknown Publisher." The good news is that the reasons are finite and each has a clear cause. Run signtool verify /pa /v against your file and the tool will usually point straight at the one that's failing.
- A broken certificate chain. The signing certificate is fine, but the intermediate that links it to a trusted root wasn't embedded, so validation stops short. This is the same class of problem as a broken SSL certificate chain, just on the code signing side.
- An expired certificate with no timestamp. Without an RFC 3161 timestamp, a signature dies the moment the certificate expires. Timestamping is what keeps an old release trusted long after the certificate lapses — our guide to code signing timestamps covers why it's non-negotiable.
- A SHA-1 signature. Modern Windows treats SHA-1-signed code as effectively unsigned. Sign with a SHA-256 file digest instead.
- A revoked certificate. If the CA revoked the certificate — after a key compromise, say — every signature that isn't protected by an earlier timestamp stops validating.
- The file changed after signing. Any post-signing edit — a patched resource, a re-zipped installer — breaks the hash, and a hash that doesn't match reads as a missing signature.
Which certificate you need — and what EV won't do
For the "Unknown Publisher" prompt specifically, any valid code signing certificate from a publicly trusted CA does the job: OV (Standard) and EV both put your verified name in the dialog the instant the file is signed. There's no tier you have to buy to clear this particular warning — you need a trusted certificate and a correct signature, nothing more.
Where the choice matters is the other warning. It's tempting to reach for EV on the assumption it skips SmartScreen, and that used to be true — but Microsoft removed EV's automatic reputation advantage in August 2024, and EV-signed files now build SmartScreen reputation the same way OV files do. So pick EV for its stricter identity vetting and hardware requirements, not as a shortcut past the blue "unrecognized app" screen. Our OV vs EV code signing explainer lays out what each level actually buys you today.
For most developers the practical path is a Standard OV certificate to remove "Unknown Publisher" immediately, paired with timestamping and a consistent signing setup so reputation can accrue over time. When you're ready to sign, My-SSL's code signing certificates come with cloud signing via SimplySign, which keeps the key on certified infrastructure without a token to manage.
The bottom line
"Unknown Publisher" is an identity problem, and identity is exactly what a code signing certificate provides: sign your software with a trusted certificate, using SHA-256 and a timestamp, and Windows shows your verified name instead of a warning. Keep it separate in your head from SmartScreen, which only accumulated downloads can settle. As a Certum partner, My-SSL issues OV and EV code signing certificates with cloud signing via SimplySign, so the identity half is something you can fix today.