Why does my signed cab still show the "Unknown Publisher" prompt?

At install time, we crack open the cab file and check for a signature on every executable (exe and dll) inside the cab. If any of the binaries are unsigned (or signed with a cert that doesn't chain to the code execution stores) then we'll display the unsigned code prompt. If the user presses "Yes" at the prompt, then we add the hashes for all the unsigned code in the cab to the "Prompt Exclusion List". This list stores the hashes of unsigned binaries that have already been accepted by the user. One advantage of this approach is that it allows the user to make the trust decision at install time, instead of at run time. It also means that the trust decision is atomic - once the cab is installed, none of the binaries will prompt, so you won't have to accept a wave of prompts at runtime.

So if your signed cab is still showing the prompt at install time, make sure all the binaries inside are signed.