MSBuild or Bamboo error signing clickonce application

Question

I have a ClickOnce application that I sign the manifests (not the assembly) with a certification stored from the windows. In visual studio on my local machine everything builds/publishes great. I have another computer that I use for Bamboo integration testing and it is not working. It gives this error during the publish task:

error MSB4044: The "SignFile" task was not given a value for the required parameter "CertificateThumbprint".

I have already done research and all the posts that I saw say that the cert needs to be installed on the machine that it is being built on. I have already done this. In-fact, on that same machine I ran a visual studio build/publish and it worked, so obviously the cert is installed.

Another issue is that I tried to use the cert file reference instead of the store and it caused other problems. It makes it so that during the msbuild there is an error saying that the cert for signing the assembly cant be imported even though I have assembly signing turned off:

error MSB3326: Cannot import the following key file: DummyKey.snk. The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user's personal certificate store.

There is no password on this file and it is disabled so I don't know whats wrong. Any help would be great

Answer 1

Code-signing certificates are installed into the personal store. On the build machine – did you install for the build service account? Note that strong name signing the assembly has nothing to do with Authenticode signing the manifest.

I just spent some time on the ClickOnce manifest signing myself and finally got it to work. Here are the details of my findings in case they help someone.

1. When generating the PFX file – you need to specify the password.

2. When PFX is password-protected – MSBuild will fail to auto-install the certificate:

   2618: Cannot import the following key file

3. Even though you’re not auto-installing, the CSPROJ file still has to have <ManifestKeyFile> specified (not just <ManifestCertificateThumbprint>) – otherwise MSBuild won’t invoke the SignFile task correctly:

   4677: The "SignFile" task was not given a value for the required parameter "CertificateThumbprint"

4. You can install and sign with certificate by invoking Microsoft SDKs\Windows\v7.0A\bin\signtool.exe in a command – but then your CSPROJ has passwords in clear text.

5. Project > Properties > Signing > Select from File seems to be the best route. But these steps will have to be performed manually for each account so that you can enter the password from step 1 and get the certificate into the personal store.

6. The easiest way to verify the magic: download the ClickOnce drop, right click setup.exe > Properties > Digital Signatures > your certificate.