Skip to main content
    Code Signing

    The 'Unknown Publisher' Warning: Why It Appears and How to Fix It

    The 'Unknown Publisher' warning means Windows can't verify who signed an app. Why it appears, how it differs from SmartScreen, and how to fix it.

    MS
    My-SSL Security Team
    ·
    11 min read
    ·
    Published July 15, 2026
    ·
    Last updated July 15, 2026

    In short

    The "Unknown Publisher" warning appears when Windows can't confirm who created a program — either because the file isn't digitally signed, or because its signature is broken, expired, revoked, or from a certificate Windows doesn't trust. Signing the file with a valid code signing certificate from a trusted authority replaces "Unknown Publisher" with your verified organization name in that prompt. It's a separate problem from the SmartScreen "unrecognized app" warning, which is about download reputation rather than identity — so fixing one doesn't automatically clear the other.

    If you've watched a user hesitate at the yellow prompt that calls your software "Unknown Publisher," you already know the cost: hesitation, support tickets, and the occasional abandoned install. The fix is more direct than most of the advice online suggests. Windows shows that warning because it can't verify who stands behind the file, and the answer is to give it a verifiable identity. My-SSL issues OV and EV code signing certificates that put your verified company name in the Windows prompt instead of "Unknown Publisher." The rest of this guide covers exactly what triggers the warning, why it sometimes survives signing, and how it differs from the SmartScreen warning it's constantly confused with.

    What triggers the warning

    Windows shows "Unknown Publisher" whenever it's about to run an executable — usually an installer or a program asking for administrator rights — and can't tie that file to a verified identity. In practice, that comes down to one of two situations: the file carries no digital signature at all, or it has a signature Windows won't accept. Either way, the prompt is Windows saying it doesn't know who to hold responsible for the code.

    You'll meet it most often in the User Account Control (UAC) dialog — the elevation prompt that asks whether to let an app make changes to your device — and in the older "Open File - Security Warning" box that appears when you run something downloaded from the internet. In both, a signed program shows a named, verified publisher, while an unverified one falls back to the "Unknown Publisher" label.

    The specific triggers are worth naming, because "just sign it" doesn't cover all of them:

    • No signature at all. The build never ran a signing step, so there's nothing for Windows to check. This is the most common case for in-house tools and first releases.
    • A broken signature. The file was signed, then edited, repacked, or patched afterward, so its contents no longer match the signed hash.
    • An untrusted certificate. The file is signed, but with a self-signed or private certificate that other machines have no reason to trust.
    • An expired or revoked certificate. The certificate was valid once but has lapsed or been pulled, and without a timestamp the signature lapses with it.

    'Unknown Publisher' vs the SmartScreen warning

    These are two separate warnings with two separate causes, and mixing them up is why so many fixes disappoint. The "Unknown Publisher" prompt is about identity: it asks whether the file is signed by someone Windows can verify. SmartScreen's "Windows protected your PC" message is about reputation: it asks whether this exact file has been downloaded and run enough to be treated as known-good. A certificate answers the first question. Nothing but time and safe usage answers the second.

    Two different Windows warnings with two different causes and fixesA side-by-side comparison. On the left, the "Unknown Publisher" warning is caused by identity — a missing or invalid signature — and is fixed by signing with a trusted code signing certificate. On the right, the SmartScreen "unrecognized app" warning is caused by reputation — too few downloads to be known-good — and is fixed only as safe downloads accumulate over time. The reputation fix is highlighted in gold to show it is the slower, out-of-your-direct-control one.Two warnings people constantly confuse"Unknown Publisher"Question it asksWho signed this file?CauseMissing or invalid signatureFixSign with a trusted certificateSmartScreen "unrecognized app"Question it asksIs this file known-good yet?CauseToo little download reputationFixReputation builds as downloads add up
    A certificate answers the left column immediately. The right column is a waiting game no certificate can skip — which is why signing removes one warning but not always the other.

    That distinction has a practical edge. Sign a brand-new installer and the UAC dialog will proudly show your company name — no more "Unknown Publisher" — yet the same download can still hit a SmartScreen screen on its first day, because reputation starts from zero for every new file. If the warning you're fighting is the full-screen blue "unrecognized app" one, our guide to how SmartScreen publisher reputation works explains what actually clears it. This article stays on the identity side: the yellow "Unknown Publisher" label.

    How a code signing certificate fixes it

    Code signing attaches two things to your file: a cryptographic hash of its contents and a digital signature made with a private key that belongs to a certificate a certificate authority issued to your verified organization. When Windows runs the file, it recomputes the hash, checks the signature, and follows the certificate up to a root it already trusts. If all three hold, the "Unknown Publisher" label is replaced by the name the CA confirmed — so the fix is identity, delivered cryptographically.

    What the elevation prompt shows for an unsigned versus a signed programTwo schematic elevation prompts. The unsigned program shows a warning shield and a publisher line reading "Unknown". The signed program, highlighted in gold, shows a verified shield and a publisher line reading a real company name marked as verified. The only difference is a valid code signing signature.Same prompt, one field decides the trustUnsigned program?Allow this app?to make changes to your devicePublisher:UnknownWindows has no verified identity to showSigned programAllow this app?to make changes to your devicePublisher:Your Company LtdA CA verified this name before issuing the cert
    Schematic, not a screenshot. The takeaway is the Publisher line: a valid signature turns "Unknown" into a name a certificate authority checked.

    The mechanics matter because of where the private key has to live. Since June 1, 2023, every publicly trusted code signing key must be generated and held on certified hardware — a qualifying token or HSM — or in a certified cloud signing service, and it can't be exported as a plain file. That raised the floor on security, and it's why a modern certificate ships as a cloud signing session or a hardware token rather than a downloadable .pfx. My-SSL issues both OV and EV code signing certificates with cloud signing through SimplySign, so you can sign without shipping a physical token around the team.

    Signing itself is a single command once the certificate is in place. On Windows, that's SignTool with a SHA-256 file digest and an RFC 3161 timestamp; our step-by-step SignTool guide walks through the exact invocation and how to verify the result before you ship.

    Why it can still appear after you sign

    A signature Windows can't fully validate is treated as no signature at all, so a signed file can still show "Unknown Publisher." The good news is that the reasons are finite and each has a clear cause. Run signtool verify /pa /v against your file and the tool will usually point straight at the one that's failing.

    The five checks a signature must pass before Windows shows a verified publisherA left-to-right chain of five checkpoints: the file is actually signed, the certificate chains to a trusted root, the signature uses SHA-256, the certificate is valid or timestamped, and the file is unchanged since signing. Passing all five leads to the final gold box, a verified publisher name. Failing any one falls back to "Unknown Publisher".Any single failed check falls back to "Unknown Publisher"Actuallysigned?Chains to atrusted root?SHA-256,not SHA-1?Valid ortimestamped?Unchangedsince signing?All five pass →verified publisher name shown
    "I signed it and it still warns" almost always means one of these five checks failed — most often a missing intermediate or an expired, un-timestamped certificate.
    • A broken certificate chain. The signing certificate is fine, but the intermediate that links it to a trusted root wasn't embedded, so validation stops short. This is the same class of problem as a broken SSL certificate chain, just on the code signing side.
    • An expired certificate with no timestamp. Without an RFC 3161 timestamp, a signature dies the moment the certificate expires. Timestamping is what keeps an old release trusted long after the certificate lapses — our guide to code signing timestamps covers why it's non-negotiable.
    • A SHA-1 signature. Modern Windows treats SHA-1-signed code as effectively unsigned. Sign with a SHA-256 file digest instead.
    • A revoked certificate. If the CA revoked the certificate — after a key compromise, say — every signature that isn't protected by an earlier timestamp stops validating.
    • The file changed after signing. Any post-signing edit — a patched resource, a re-zipped installer — breaks the hash, and a hash that doesn't match reads as a missing signature.

    Which certificate you need — and what EV won't do

    For the "Unknown Publisher" prompt specifically, any valid code signing certificate from a publicly trusted CA does the job: OV (Standard) and EV both put your verified name in the dialog the instant the file is signed. There's no tier you have to buy to clear this particular warning — you need a trusted certificate and a correct signature, nothing more.

    Where the choice matters is the other warning. It's tempting to reach for EV on the assumption it skips SmartScreen, and that used to be true — but Microsoft removed EV's automatic reputation advantage in August 2024, and EV-signed files now build SmartScreen reputation the same way OV files do. So pick EV for its stricter identity vetting and hardware requirements, not as a shortcut past the blue "unrecognized app" screen. Our OV vs EV code signing explainer lays out what each level actually buys you today.

    For most developers the practical path is a Standard OV certificate to remove "Unknown Publisher" immediately, paired with timestamping and a consistent signing setup so reputation can accrue over time. When you're ready to sign, My-SSL's code signing certificates come with cloud signing via SimplySign, which keeps the key on certified infrastructure without a token to manage.

    Frequently Asked Questions

    Get instant answers to common questions about SSL certificates and our services.

    Still Have Questions?

    Our SSL experts are available 24/7 to help with any questions about certificates, installation, or technical issues.

    The bottom line

    "Unknown Publisher" is an identity problem, and identity is exactly what a code signing certificate provides: sign your software with a trusted certificate, using SHA-256 and a timestamp, and Windows shows your verified name instead of a warning. Keep it separate in your head from SmartScreen, which only accumulated downloads can settle. As a Certum partner, My-SSL issues OV and EV code signing certificates with cloud signing via SimplySign, so the identity half is something you can fix today.