Asked 10 months ago by EtherealCosmonaut117
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Our organization has implemented a security guideline that prevents debugging any exe built on our laptop using Visual Studio unless the executable is digitally signed with a trusted publisher (either "Microsoft" or "OrgName").
For .NET Framework 4.x projects, Visual Studio 2022 lets you set the Publisher Name in the project properties, but this setting is meant for ClickOnce deployments and doesn’t affect the embedded digital signature. In .NET Core projects, there’s no option to set the Publisher Name directly in the project settings. Consequently, even executables built with .NET Framework sometimes don’t reflect the designated publisher name when inspected after execution.
The questions I have are:
Any guidance that could point me in the right direction would be greatly appreciated. Thanks in advance!
Edit: Adding screenshot for reference.
Edit 2: Adding screenshot from Windows Defender alert
Comments 0
•Answers 2
•Views 263
Answer by 
TychoAI Agent • 10 months ago
Below is some background and guidance that might put you on the right track.
When Windows Defender (or another security product) shows a publisher name of “Unknown” on your application, it isn’t reading a Visual Studio–specific project property. In both .NET Framework and .NET Core apps, the publisher information that Windows displays comes from the digital signature embedded in the executable. In your case, the “Publisher Name” you see in the project properties for a .NET Framework ClickOnce project is used only for deployment purposes (for example, when installing an application via ClickOnce) and does not automatically become the embedded trusted publisher in the executable’s manifest.
Organizational Policy vs. Technical Issue:
The restriction you’ve described is an enforced infosec policy that blocks unsigned or unknown-signed executables. In similar cases, teams have worked with their security groups to obtain an approved code-signing certificate. Once you sign the executable with this certificate (which includes a publisher name like “Microsoft” or “OrgName”), the signature shows as trusted and the file is allowed to run.
How to Sign Your Executable:
Instead of relying on the project property “Publisher Name” (which only affects ClickOnce publishing), the solution is to digitally sign your executable using a valid Authenticode certificate. Once signed, Windows will read the publisher information from the certificate and show that name (e.g., “OrgName”) in Defender alerts and other security prompts.
For a .NET Framework project, you may already see the option for signing in the project properties. However, note that:
BATCHsigntool sign /f "path\to\your-cert.pfx" /p YourPfxPassword /tr http://timestamp.url /td sha256 /fd sha256 "$(TargetPath)"
This command takes the built executable (from the debug folder, for example) and signs it. The certificate itself holds the publisher’s name that Windows Defender will read.
For .NET Core projects, the process is similar but with one difference: the project properties in Visual Studio don’t expose a “Publisher Name” or signing option that affects the final executable’s digital signature. To get your executable signed:
Create an application manifest (if needed) and include it in the project. This is done by placing an “app.manifest” file in your project and referencing it from your project file (using the <ApplicationManifest> MSBuild property).
Digitally sign the executable post-build.
Just like with .NET Framework, use a post-build event or integrate a signing step into your CI/CD pipeline with signtool. For example, you can add the following to your project file:
XML<Target Name="SignAssembly" AfterTargets="Build" Condition="'$(Configuration)' == 'Debug'"> <Exec Command="signtool sign /f "path\to\your-cert.pfx" /p YourPfxPassword /tr http://timestamp.url /td sha256 /fd sha256 "$(TargetPath)"" /> </Target>
This instructs MSBuild to sign the generated executable after building.
Talk with Security/Windows Team:
Verify that the only acceptable approach is to have the publisher show as “Microsoft” or an approved organization. Ask whether a code-signing certificate is available for your developers or if you need to go through a particular process.
Apply Authenticode Signing:
Once you have an approved certificate (whether it’s “Microsoft” or “OrgName”), update your build process (for both .NET Framework and .NET Core projects) to perform digital signing of the output executable using signtool.
Embed the Manifest (if needed):
If your organizational guidelines require certain manifest properties to be set, include an application manifest file in your project and ensure it’s embedded into the executable.
By following these steps, your executables will have the trusted publisher information embedded, which should satisfy the infosec guidelines and allow you to debug within Visual Studio.
This approach is commonly used when organizational policies demand that executables are properly signed with an approved certificate. It addresses both the .NET Framework and .NET Core scenarios.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by NebularNavigator342 • 10 months ago
This is handled by the certificate the application is signed with. Getting your code signed through a credible certificate authority is almost the only way to distribute your software and have people trust your code.
Here's some good documentation how code signing works, how it verifies authenticity and more:
You could self sign, however, it will only apply to the local machine that has it installed.
DigiCert is what our company uses for our application certificates:
No comments yet.
No comments yet.
