"Manifest XML signature is not valid"

Question

OS: Windows 7 64 bit using Visual Studio Pro 2012 with .NET 4.5 installed.

I used the Publish option within Visual Studios and ensured that I had clicked the Sign the clickOnce manifest and Sign the Assembly. It will still not run on another computer and says I do not have a valid XML signature. I have pasted the error message below.

I have also read: How to move a ClickOnce deployment package, Do I have to sign my ClickOnce manifest?. VS2012 .NET 4.0 Clickonce VSTO CryptographicException: SignatureDescription could not be created for the signature algorithm supplied and several others.

I need to be able to deploy my program on .NET 4.0 at the minimum and I do not have access to another version of Visual Studios. Thanks in Advance!

complete Error Below:

---

PLATFORM VERSION INFO Windows : 5.1.2600.196608 (Win32NT) Common Language Runtime : 2.0.50727.3603 System.Deployment.dll : 2.0.50727.3053 (netfxsp.050727-3000) mscorwks.dll : 2.0.50727.3603 (GDR.050727-3600) dfdll.dll : 2.0.50727.3053 (netfxsp.050727-3000) dfshim.dll : 4.0.31106.0 (Main.031106-0000)

SOURCES Deployment url : file:///C:/Documents%20and%20Settings/Administrator/Desktop/EatonWizard.application

ERROR SUMMARY Below is a summary of the errors, details of these errors are listed later in the log. * Activation of C:\Documents and Settings\Administrator\Desktop\EatonWizard.application resulted in exception. Following failure messages were detected: + Exception reading manifest from file:///C:/Documents%20and%20Settings/Administrator/Desktop/EatonWizard.application: the manifest may not be valid or the file could not be opened. + Manifest XML signature is not valid. + SignatureDescription could not be created for the signature algorithm supplied.

COMPONENT STORE TRANSACTION FAILURE SUMMARY No transaction error was detected.

WARNINGS There were no warnings during this operation.

OPERATION PROGRESS STATUS * [10/10/2012 2:05:02 PM] : Activation of C:\Documents and Settings\Administrator\Desktop\EatonWizard.application has started.

ERROR DETAILS Following errors were detected during this operation. * [10/10/2012 2:05:02 PM] System.Deployment.Application.InvalidDeploymentException (ManifestParse) - Exception reading manifest from file:///C:/Documents%20and%20Settings/Administrator/Desktop/EatonWizard.application: the manifest may not be valid or the file could not be opened. - Source: System.Deployment - Stack trace: at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri) at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation) at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options) at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl) at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state) --- Inner Exception --- System.Deployment.Application.InvalidDeploymentException (SignatureValidation) - Manifest XML signature is not valid. - Source: System.Deployment - Stack trace: at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s) at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri) --- Inner Exception --- System.Security.Cryptography.CryptographicException - SignatureDescription could not be created for the signature algorithm supplied. - Source: System.Security - Stack trace: at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key) at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey) at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags) at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)

COMPONENT STORE TRANSACTION DETAILS No transaction information is available.

Answer 1

I had the same problem today. This is how I solved:

What caused the problem: We created a clickonce project using vs2012 and framework 4.5. Then we changed the target framework to 4.0 (client asked to).

The problem is: Framework 4.5 uses SHA-256 algorithm for the signature, and 4.0 uses SHA-1. When we changed the target framework to 4.0 and vs2012 didn't changed the algorithm.

Solution: Change the algorithm manually, generating a new certificate.

Go to Project properties -> signing

You will see the algorithm that is being used in 'Signature Algorithm'. You can create a new test certificate and then you will notice that it changes to 'sha1RSA'

Answer 2

Note, I would have added this as a comment, but due to silly Reputation rules, I can only add an answer!

---

Beware new code signing certificates

I had this problem recently because our Code Signing certificate needed renewal. So, being blind to the fact that Microsoft haven't patch the XP version of Framework 4 to work with SHA2 certificates during ClickOnce deployment, I told all my clickonce projects to use the new code signing certificate.

As I also do code-based updates of the app rather than just let Microsoft handle it, so that it's a more seamless experience to the end user without them required to press buttons and in the style of my app.

However, I hit a bug where my program didn't report the manifest error, instead it just hung (my bad!). In order to get an update our after working until 3am to discover this problem, I had to create a temporary certificate issued by Visual Studio. The problem with that? Code updates are not seamless any more because microsoft put a stupid dialog up as the publisher is unknown!

So my biggest concern is that yes, OK, XP is not supposedly supported from Monday but that shouldn't mean the Framework 4 shouldn't accept the new certificates if that's what they are pushing to everyone. Microsoft are even actively involved in that push!

The only working answer is as above, you MUST use Visual Studio to create an untrusted temporary certicate, which is rediculous!!! (I still have hope that maybe I didn't find the correct way to use the new certicate)