Sign executable within a clickonce application when publishing

Question

I have a c# .net project in Visual Studio 2013. I have successfully signed the manifest told Visual studio to also sign the assembly.

However the application exe file is not being signed. After googling I added the following to the post build event

"C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)obj\Debug\myapp.exe"

and also tried

"C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)bin\Debug\myapp.exe"

That seems to sign the exe, however now my application won't launch and gives the error:

File, ECG Cloud Holter Assistant.exe, has a different computed hash than specified in manifest.

So I think I need it to sign the exe before it generates the manifest but how do I do that?

If I don't include the post build command, the app runs ok but with an unknown publisher warning.

Signing manifest should be the last step in build process. In your case you modifying exe file after signing manifest. — nicolas2008, Feb 19 '16 at 17:17
Nicolay - yeah that's what I've observed. I wonder how to sign the exe after its built but before the manifest it created. — Robin Fuller, Feb 19 '16 at 17:39

score 8 · Accepted Answer · answered Feb 19 '16 at 18:42

Try giving this a shot:
1. Right-click on the winforms project and select "Unload Project".
2. Right-click on the project again and select "Edit (yourprojectname).csproj".
3. Go to the bottom of the file and add the following section before the closing "Project" tag:

<Target Name="AfterCompile">
   <Exec Command="C:\Program Files\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f "$(ProjectDir)certificate.pfx" /p mypassword "$(ProjectDir)obj\Debug\myapp.exe" />
</Target>

4. Save the proj file and close it.
5. Right-click on the project again and reload it.

Now if you build your project, you won’t see anything about signing the application executable in the output window. It will only do it if you publish, and there won’t be logging letting you know it signed it. How do you know if it worked? Go to the folder you published to, and look in the Application Files folder. Locate the application executable in the folder for the new version. Right-click on it, choose properties. Look for a tab called “Digital Signatures”. If it’s not found, it’s not signed. If you do see it, go to that tab; it will show the signature list and the signer of the certificate. You can double-click on the signer and then view the signing certificate.

I had a similar issue and was able to figure it out with help from this blog post: https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/

Thanks, that worked great. The main thing to remember is 'AfterCompile' -- 'BeforePublish' as used in the robindotnet article didn't work for me. — Robin Fuller, Feb 22 '16 at 10:55
`Command` is an attribute of the `Exec` tag. So its value should be in quotes. But is the double quote after signtool.exe not intended to quote the path (because it contains spaces)? if that is correct, it is a weird syntax convention. I used single quotes for the attribute, and double quotes inside just to be sure. — Cee McSharpface, Jul 25 '17 at 13:17

Sign executable within a clickonce application when publishing

1 Answers1

Linked