I'm getting a very odd result when running an executable that has been digitally signed.
The executable was signed using signtool.exe using a proper level 2 code signing certificate (not self-generated).
Testing on a Windows 7 machine, if i launch the signed executable, I get the windows warning dialog saying Publisher Unknown (i.e. not signed).
However, if i then cancel and right-click on the executable and go to Properties -> Digital Signatures, the Signature list shows the signed certificate, which i can then click on and choose "Details" to view the details of the signature, which is shown as "The digital signature is OK".
At that point, if i launch the executable, now all of a sudden windows properly recognizes that the exectuable is signed and reports the correct "Verified Publisher".
It seems like maybe Windows wasn't checking the certificate online until i went to view the actual certificate details from the properties dialog of the executable (note that it wasn't just a delay after launching the executable, it doesnt matter how long i wait or how many times i launch it, it treats it as unsigned until i go into Properties / Digital signatures of the file).
This a generic Windows 7 install I use for testing -- it hasn't been modified or tweaked in any way.
This behavior seems to defeat the main purpose of code signing on Windows-- how can it be that the executable is treated as unsigned unless the user knows to go into the right-click properties and digs around for a certificate.
Is there something I'm missing? Some way to mark the executable as one that Windows should actively go check the certificate of when executed?