Is it possible to obfuscate a ClickOnce application created in Visual Studio 2008?

Question

I've created a WPF application and obfuscated the main .exe with an external tool.

Now I'm having trouble to publish it as a ClickOnce application, because Visual Studio somehow is recompiling again the main executable.

I deactivated the build checkboxes under Solution → Configuration manager, but it didn't work: the executable keeps being rebuilt when I publish the application to http://localhost/MyApplication

Is it possible to deploy my ClickOnce application without recompiling the current project?

If that's no way, is there a free tool to generate a ClickOnce application with specific desired files?

Answer 1

I don't exactly understand why ClickOnce has this apparent behavior. However you should be able to work around this by inserting the obfuscation step into the build system. Try defining a post build task which runs the obfuscator against the EXE / DLL. Since this will run as part of the build, ClickOnce will pick up the obfuscated DLL rebuild or not.

It will also save you the trouble of running it manually :)

Answer 2

Disclaimer: I work for PreEmptive Solutions, the makers of Dotfuscator.

The issue with Jared's solution is that a post build task executes too late in the build process as the ClickOnce build steps create the manifests (including assembly signatures, which obfuscation changes) long before the post build fires. You can hack the MSBuild file (your .csproj/.vbproj) file to call the obfuscation task in the AfterCompile step and have the obfuscator dump the obfuscated assemblies into the builds bin directory but this is a pain.

A second alternative is to use the Mage/MageUI tools to recreate the ClickOnce manifests by publishing your application, obfuscating the assemblies, overwriting the published assemblies with the obfuscated versions and then running Mage to recreate the manifests as shown here. Documentation for the Mage utility is here.

A third alternative is if your obfuscator is Dotfuscator Professional edition version 4.6.1010 or higher. Dotfuscator has the ability to directly read a ClickOnce deployment manifest as an input, obfuscate the assemblies and output both the obfuscated assemblies and fully updated manifest files. See here for a starting point.

Answer 3

Just FYI, this is handled in Visual Studio 2010.

In the meantime, you have to publish to a folder, obfuscate the assemblies, and re-sign the deployment using either Mage or MageUI. This is because ClickOnce hashes the assemblies, and when you obfuscate them, it changes the hashes, and they no longer match the information in the manifest.

RobinDotNet