Menu
I am about to deploy a ClickOnce application for internal use. I will be personally handing the application out to a trusted set of users. I understand that it is possible to sign the ClickOnce manifest, but is there a need to when the user trusts the source?
What are the downsides to not signing the manifest or assembly?
666
Signing the ClickOnce manifests is optional for .exe-based applications.
It's a security feature that allows your users to verify that any updates really originated from the publisher of the version you installed before.
A ClickOnce application manifest is an XML file that describes an application that is deployed using ClickOnce. ClickOnce application manifests have the following elements and attributes. Element. Description.
To enable ClickOnce security settings With a project selected in Solution Explorer, on the Project menu, click Properties. Click the Security tab. Select the Enable ClickOnce Security Settings check box.
You will need to sign the manifest, but there is no need to sign the assembly. You need to sign the manifest so that ClickOnce can uniquely identify the installation (you can install the application twice by signing the application with two different keys).
If you are only doing an internal application, your certificate can just be a certificate you create, it does not have to be trusted.
The only benefit of signing any assemblies would be that ClickOnce can optimize the download and store strongly signed assemblies outside of your applications isolated storage and share the assembly across multiple applications. For example, if you have two applications that both use the same version of NHibernate then ClickOnce will only download the assemblies once.
161
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
