If a publisher could not be verified, is that program harmful? Not necessarily. If the publisher could be verified, is that program safe? You cannot assume that either. Why does the warning appear? How can you stop the warning from appearing?

The publisher could not be verified warning was intended to make computer users more aware of potentially harmful programs. Any program downloaded from the Internet is potentially harmful. But now, like the story of “The Boy Who Cried Wolf”, many computer users see it so often that they ignore it, and opt to run the program anyway without giving it another thought. Should you too simply ignore the warning? I would answer that question with “No, but learn what the message means so you can make an informed decision of when it is OK to ignore it.”

Why Does the Warning Appear?

Every program downloaded from the Internet gets tagged by the browser as having come from the Internet. When you try to run such a program, Windows checks if the program was digitally signed, and if it was signed, Windows checks who signed it. If the program wasn’t signed, or if Windows can’t verify who signed it, Windows displays the warning that the publisher, the one who made the program available to the public, could not be verified.

What Does It Mean to be Verified?

When Windows verifies the publisher of a program, it warrants only two things:

  1. The program truly did come from the named publisher.
  2. The program was not tampered with since the publisher signed it.

However, though you can trust that a verified program really came from the identified publisher, Windows cannot warrant that the publisher provided a quality program, or that the publisher thoroughly tested the program for safety before he signed it. Even a verified program could contain a virus. Even a verified program might have used programming techniques that are either intentionally or unintentionally harmful to you or your computer.

Whether or not a publisher could be verified, you should never trust anything you download from the Internet. You should always scan any downloaded file for viruses, no matter how much you trust the site from where you downloaded it.

Conversely, just because a program isn’t signed and the publisher cannot be verified, does not mean the program will harm your computer. It just means it isn’t signed. Here too, your best response is to scan the program for viruses before you use it.

How is Windows Able to Verify the Publisher?

In order for Windows to verify the publisher of a program, the program must be digitally signed by the company that provided the program. I, as a software developer, would need to contact a certification authority, identify myself as being from Godtland Software Corporation, and purchase their digital signing certificate. I would then need to use that certificate to digitally sign any program I make downloadable from the Internet. Windows would then be able to verify that Godtland Software Corporation was the publisher of any programs that were signed with that certificate.

Certificates are valid for only a set period of time. Even if I sign a program with a valid certificate, if I do not renew that certificate every year, users of that program will eventually get a warning that the certificate expired.

So Why Doesn’t Everyone Sign Their Programs?

Unfortunately, it costs $200-500 annually to keep an active code signing certificate. I sell shareware programs for $15-20 each. I would have to sell a lot of copies of my program every year just to pay for the certificate. And as stated above, a verified program is not guaranteed as safe anyway. I cannot justify the cost of the certificate for what little protection it provides users of my programs. All the digital certificate does for me is prevents the warning from appearing when someone starts my programs, a warning people see so often that they often ignore it anyway.

Before I place any downloadable programs on my website, I scan them for viruses. Then I let users know they will see the warning that the publisher could not be verified. I ask them to ignore the warning and to take two steps:

  1. Scan my program for viruses – a step they should be doing anyway.
  2. Verify the size of the file they downloaded with the size I said the file was when I put it on my website. The correct file size means it is less likely to have been tampered with.

Hopefully, by taking these two steps, the user will be more comfortable using my unverified program, and I can keep my costs and program price low.

Should You Turn Off the Setting That Displays the Warning?

If you do not like seeing the warning that the publisher could not be verified, and you always ignore it anyway, you may turn it off:

http://benosullivan.co.uk/windows/how-to-stop-windows-7-popup-%E2%80%9Cthe-publisher-could-not-be-verified-are-you-sure-you-want-to-run-this%E2%80%9D/

However, I do not recommend that you turn it off. That warning is there for your protection. Use it as a reminder that you should scan the program for viruses before you use it.

Conclusion

Keep in mind that the “Publisher Could Not be Verified” message is only a warning. As such, you must use your own judgment for what to do about it: if you must heed it or if you may ignore it. Whether you receive the warning or not, you should always:

  • Keep your anti-virus program up to date.
  • Scan any file you downloaded for viruses.

If you get into the habit of always scanning for viruses, you may more comfortably ignore the warning, or even disable the setting that makes the warning appear.

If you are a software publisher, write quality software, and scan any files for viruses before you put them on your website. Develop a trustworthy reputation. If you really don’t want the warning that the publisher could not be verified to appear for users of your programs, you will have to digitally sign your programs and keep your signing certificate up to date.

Related posts:

  1. Welcome to This Little Program Went to Market
  2. Is Symantec’s File Insight (SONAR) Deleting Your Programs?

About the Author


3 Responses to Should You Ignore the “Publisher Could Not be Verified” Warning?

  1. [...] really turn it off unless the application if signed, which is several hundred pounds per yr. More info. Posted in Windows 7, Windows Admin | Tags: OX4 2SG « local:customcommands was not found [...]

  2. john lee says:

    ok seems like you said almost everything eccept to how remove this msg
    I need to remove it would you please(if you know)give me instruction to remove this msg
    thank you ever so much

More Do-It-Yourself Java Games

More Do-It-Yourself Java Games: An Introduction to Java Graphics and Event-Driven Programming is the second book of the Do-It-Yourself Java Games series. You'll learn to create windows and dialogs, to add buttons and input fields, to use images and drawings, and to respond to keyboard input and mouse clicks and drags. You'll create 10 more games including several puzzles, a dice game, a word game, and a card game.

This book assumes you either have an understanding of basic Java programming or you have read the first book, Do-It-Yourself Java Games: An Introduction to Java Computer Programming. Read more.

Do-It-Yourself Java Games

Do-It-Yourself Java Games: An Introduction to Java Computer Programming uses a unique "discovery learning" approach to teach computer programming: learn Java programming techniques more by doing Java programming than by reading about them.

Through extensive use of fill-in blanks, with easy one-click access to answers, you will be guided to write complete programs yourself, starting with the first lesson. You'll create puzzle and game programs like Choose An Adventure, Secret Code, Hangman, Crazy Eights, and many more, and discover how, when, and why Java programs are written the way they are. Read more

Step-by-Step Tutorial

Many of the tips, techniques, and tools discussed in this blog are demonstrated in a detailed step-by-step tutorial in the book, This Little Program Went to Market, by Annette Godtland.

The book takes a computer program through the entire process of creating, deploying and distributing a program, then selling and marketing it (or any other product) on the Internet. Read more.