I have a VSTO program in Visual Studio 2017. In order to make the install process run more smoothly when I publish via ClickOnce and host the files on the web, I bought an EV Certificate from DigiCert.
This is what I bought - https://www.digicert.com/code-signing/ev-code-signing/
So I waited a couple days, got my USB token, set everything up and now when I sign the app with my fancy new certificate... the install flat-out fails.
The error the user gets is:
Customized Functionality in this application will not work because the certificate used to sign the deployment manifest for AppName or its location is not trusted. Contact your administrator for further assistance.
I contacted DigiCert for tech support and they basically said that this is an error with Visual Studio 2017 and the Operating System.
I then called Entrust to see if they could confirm since they also have the EV Certificates: https://www.entrust.com/code-signing-certificates/#ev-code-signing-certificates
Turns out I guess until you buy one, they can't answer the question. They just kindof say "buy it and try it and if it doesn't work we'll give you your money back."
How is it possible that nobody knows how to sign an install from Visual Studio?
I would love to be able to sign this install and get it to work.
Click File, and then select Add/Remove Snap-in. a. Double-click Certificates, select My user account, click Finish, and then click OK.
After a lot of time spent on the phone with support at DigiCert, we finally figured out a process that works.
What is not immediately obvious in this case is that you end up doing a LOT of signing of code.
So when you build a VSTO application, you sign the code with the EV certificate. Then, when you want to publish (using ClickOnce) you will have to sign again.
But even after that, you have to then re-sign the setup file TWO MORE TIMES to get this all to work!
After spending a ton of time on this, I now have a batch file that does the final steps, including syncing the setup files up to Amazon S3 for deployment.
So here's how I do it:
Build
(or Rebuild
to be
safe) and you will have to sign using the dongle.Properties
Properties
go to Signing
and confirm you have the
correct certificate selected. If you skip this step, the app won't
install.Properties
go to Publish
and make sure to set
your publishing location and installation folders. I use Amazon S3
for the installation folder.Publish Now
. It will ask you to sign again.Now, you would think at this point you'd be done... but you aren't.
.p12
certificate. I contacted
DigiCert support and they were able to give me one for free (prob
just for a year) since I was having so many problems. This is
different than the EV certificate..p12
certificate AND the EV, I run the following batch
routine, which signs the setup.exe file TWICE (once with .p12
and then
again with the EV) and also pushes up to Amazon S3.Here's my SignDeploy.bat
file:
echo off
cls
echo Signing setup.exe with .p12 Certificate File
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f [LOCATION OF P12 FILE] /p [PASSWORD] [LOCATION OF SETUP.EXE]
pause
echo Signing setup.exe with EV Certificate from Store
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [EV HASH FROM DIGICERT] [LOCATION OF SETUP.EXE]
pause
echo Dry run on syncing files up to S3
aws s3 sync [LOCAL DEPLOYMENT FOLDER] [S3 BUCKET AND FOLDER LOCATION] --acl public-read --dryrun
echo
echo If that worked, it's time to send them up for real.
echo Control-C to stop now, or...
pause
aws s3 sync [LOCAL DEPLOYMENT FOLDER] [S3 BUCKET AND FOLDER LOCATION] --acl public-read
pause
After all this (I think you end up typing your EV certificate password 3 times total) a user who downloads setup.exe
from the specified location (must be the same as indicated in your app) will be able to install and run your VSTO application.
There are other problems we have run into along the way with the installation process on the client side, but using the above process solves the issue with signing.
I won't pretend to understand why this needs signed so many times, nor does it make sense that this doesn't all work smoothly from inside Visual Studio. DigiCert tried to have me use Build Events
to do this, but it doesn't work b/c those processes run on either side of the BUILD not the PUBLISH. What we'd need are Publish Events
which I don't think exist.
I have explored the idea of a longer more involved command-line process using MsBuild.exe, but it's difficult to do the Automatically increment revision with each release
part that way.
Maybe someone here has an idea how to set that up. My process is still a bit manual, but it seems to work reliably at this point so I'm not inclined to mess with it too much.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With