4

I am having trouble signing an application after ClickOnce deployment.

The application is a winforms project with 3 class-library projects and is deployed to a shared file path.

Publish from Visual Studio works and if I run the application it installs fine despite the warning in Windows 10 about it being unrecognized: Windows protected your PC screenshot

So being a foolishly helpful programmer I thought I'd try to remove the warning message for my users.

  • First step was to create a signing certificate. Luckily the sys admin was able to do whip up an internal certificate for me, and I managed to work out how to export it reading this.
  • Then I used Mage UI to sign the manifest. What a "manifest" was exactly I did not know at this stage. Where to find Mage was also an issue as the Windows SDK were not installed on the deployment server. I eventually remoted into the deployment server and ran Mage from my own PC. Using Mage to sign random files I eventually worked out that I needed to sign ALL the .application + .manifest files mentioned in the file structure of this answer.
  • At this point I was stuck with a Reference in the manifest does not match the identity of the downloaded assembly error and after exhausting the 10 different things to try mentioned in this question I started posting here.
  • Then I found this MSDN article where they suggested that the file was in some way corrupt. Which file? Well after comparing the files before and after I noticed that the .application file still had product key = "000000000000000" for the .manifest file instead of the new signed product key.
  • So I went back into Mage and reselected the "Application Reference" for the manifest and signed it again. At which point I got another error could not find a part of the path \\MyFileShare\Application%20Files\MyApplication_1_0_0_23\MyApplication.exe.manifest
  • Eventually I worked out that Mage had delightfully corrupted the file path with urlencoding. I fixed %20 in notepad to and resigned in Mage AGAIN and it worked!!!

Surely I'm doing something wrong and Microsoft didn't intend for this to be so difficult?

TLDR;

What is the correct way to run Mage to sign the application in 1 hit, without having to edit the files manually and resign multiple times?

Community
  • 1
  • 1
JumpingJezza
  • 5,498
  • 11
  • 67
  • 106
  • I'm not sure if it is in the same place in 2015, but in the Project Properties of 2010 there is a Signing tab a couple slots above the Publish tab. For my project that is ClickOnce it has a check box to "Sign the ClickOnce manifests" – Lithium Jun 21 '17 at 08:25
  • @Lithium Yes I have that option - but I don't have access to the certificate in the development environment, so I need to sign after deployment – JumpingJezza Jun 21 '17 at 08:29
  • I don't know how "you can't have access to the certificate" in the development environment ? You manage this certificate and deliver it to the production environnement (with your application) and it's the job of the admin to add your certificate in the trusted developper store. – Marco Guignard Jun 21 '17 at 08:40
  • @MarcoGuignard It is an internal certificate and it is in a separate Active Directory domain (external for me), I can VPN to the production environment as a different user to deploy – JumpingJezza Jun 21 '17 at 08:52
  • And ? The certificate used to sign an application has nothing to do with an active directory user ! I'm sure that Adobe don't have an user in your production environment. It juste have to be added in the good store to be trusted by the production domain. – Marco Guignard Jun 21 '17 at 10:50
  • 1
    If ClickOnce gets ruled out, Microsoft provide a MSI type installer project for Visual Studio. There is also Squirrel, a self updater that is also used by VSCode. – user9993 Jun 21 '17 at 12:40

2 Answers2

1

In my experience, the automated tools work well with all ins and outs of ClickOnce and its related tools, but doing things by hand is a real challenge.

Resources that were very useful to me are Walkthrough: Manually Deploying a ClickOnce Application and Walkthrough: Manually Deploying a ClickOnce Application that Does Not Require Re-Signing and that Preserves Branding Information.

Options:

  • Use automated tools available from Visual Studio to sign and deploy your application. (It has drawbacks too, but at least it works, sort of);
  • Spend a lot of time automating and tweaking your process, as you currently do. In the end you will benefit from doing this because you have a lot more control over the end result;
  • Use some other deployment method, like MSI.
Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
1

As Marco Guignard pointed out in the comments it is possible to export a certificate created from anywhere and import it into your personal store to use in Visual Studio.

Signing it in Visual Studio (pictures) and setting separate publish + install locations allows me to bypass the need to use mage at all!

JumpingJezza
  • 5,498
  • 11
  • 67
  • 106