Unfortunately it is not possible to make a link to the URL available outside
of the program area; this is a DOD classified program.
The problem does not exhibit itself on XP PRO SP2; setting the desired
registry settings have the intended effect of NOT presenting the "publisher
not verified" dialog.
Also, I can access the offending page residing on the embedded system from a
'non-Embedded' XP SP2 machine, and the problem does not occur. The problem
only occurs when accessing the URL residing on XPE from IE which is also
running on that same XPE machine.
:
Sorry for delayed response. I somehow missed your last post.
I mentioned earlier in this thread that is it not IE but the CryptUI library who's showing the dialog.
I am clueless why it doesn't want to work for you when you set the value. Could you provide me with the link or test page you
are
using to test out the appearance of the dialog?
Since you are dealing with a UserControl (well, I'd love to see more details on this) I'd try to set to Enable all the ActiveX
related policies of the Zone you are downloading the page from.
A couple more things to mention here:
- You might have already done this but worth to mention. Are you able to repro the issue on XP Pro?
- If you can't repro the issue on XP Pro, I suggest you trying XPProEmulation image (
www.xpefiles.com). If you can't repro
it
there either, the issue is due to a missing dependency then.
--
=========
Regards,
KM
And just for further clarification:
I performed a REGMON on IE, opened the Tools | Internet Options... |
Advanced windows and logged the registry interaction. Both the
RunInvalidSignatures='1' and CheckExeSignatures='no' values where read, and
these settings were also reflected in the check box settings within the
Advanced Tab. Still, the 'publisher not verified' dialog appears.
Is it possible that the dialog is not being presented by IE, but by
something else?
:
Yes, CheckExeSignatures is a string value, and it was set to 'no'. I have
played extensively with all the settings. I have manipulated the 'Zone\1'
values to where I can get the behavior to change for other settings, such as
URLACTION_SHELL_FILE_DOWNLOAD and others, but I still am unable to prevent
the 'publisher not verified' dialog box.
I can turn off activex controls all together by manipulating the Zone
values, but I can not stop the prompt.
:
I don't think going to IE7 would help. The behavior of that security setting didn't change between IE6 and 7.
Just to clarify, you did set the
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=reg_sz:"no".
(please note the value type)
No, policy entries don't necessarily have to be pre-populated in registry. If they are missing, the policies are
considered
"not
configured" and usually it lead to behavior defined by documentation (check GPEdit for more info).
--
=========
Regards,
KM
I set the specified 3 registry settings (RunInvalidSig, CheckExe, &
SaveZone), and they had no effect.
Under MKCU\Software\Policies\Microsoft, 'SystemCertificates' was the only
existing key, so 'Internet Explorer\Download' had to be created. Also, only
'Explorer' existed at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies, so 'Attachments' had
to be created. Should these keys have already existed?
Components "Primitive: CryptUI", "Internet Explorer" and "Windows XP Service
Pack 2 Resource DLL" are all included in the image.
I also included everything needed to support installing IE7 into the image,
built it, then installed IE7. IE7 exhibits the same behavior, again with all
Advanced options set to allow everything and registry values all set to
'enabled'.
:
Opps. Sorry, should be
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=reg_sz:"no".
--
=========
Regards,
KM
CStewart,
My bad. I should've mentioned all the related keys there.
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"RunInvalidSignatures"=dword:1
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"CheckExeSignatures"=dword:0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments],"SaveZoneInformation"=dword:1
Please let us know if that helps you.
Unlike this is you problem but just in case please check if you got "Primitive: CryptUI" component in your image
config.
Of
course, "Internet Explorer" and "Windows XP Service Pack 2 Resource DLL" components must be in your image as well.
--
=========
Regards,
KM
It is my understanding that the common location for this setting is
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download]RunInvalidSignatures
But regardless, the setting has no effect in either location. I wonder if
anyone knows whether a missing component could be causing IE to not recognize
or behave on the specified registry settings. Of the numerous settings I
have tried, nothing has augmented the behavior of the dialog box; it always
appears.
:
CStewart,
I guess you are already tried this one?
[HKCU\Software\Policies\Microsoft\Internet Explorer\Download],"RunInvalidSignatures"=dword:0
Corresponds to the "Allow software to run or install even if the signature is invalid" policy.
--
=========
Regards,
KM
On Embedded with XPSP2 & Feature Pack 2007, whenever a web page containing a
UserControl is opened, the user is presented with the 'Publisher could not be
verified' dialog. IE (6 w/h SP2) is being brought up programmatically, as
this embedded system has no keyboard or mouse with which to acknowledge the
dialog box.
This embedded system has no network connectivity, and I am not interested in
digitally signing the user control dll.
I have thoroughly gone through the myriad of registry settings which relate
to the this issue, although one would think turning off the 'Check for
signatures on downloaded programs' within IE would be enough. I have
manipulated the LMZ and other zones, worked with the IE advanced settings, as
well as other related registry settings
(
http://blogs.msdn.com/embedded/archive/2005/06/06/425907.aspx). Nothing has
had any effect.
I have even strong named the assembly and signed it in an attempt to simply
get different behavior, but to no avail.
If anyone has any ideas, I would be keenly interested in hearing them.
Thanks.
