Using Authenticode with a ClickOnce WPF application

Question

All right, I'm not doing something right, and I need some help. Here's what's happening:

1. I have a "real" Authenticode certificate from Comodo that I have paid for.
2. I'm trying to sign and deploy a WPF application written in Visual Studio 2012 and .NET 4.5.
3. In the properties of the project, I have checked "Sign the ClickOnce manifests" and have chosen my certificate.
4. I'm also using Comodo's timestamp sever (http://timestamp.comodoca.com/authenticode)
5. In the Publish tab and under the Prerequisites button, I have checked "Create setup program to install prerequisite components".

When I build and publish, everything works! The setup.exe is signed with my Comodo certificate, so that's good. Also, the .application file is signed with the Comodo certificate and my company name shows as the publisher -- this is also good.

Here comes the problem: Once the application is downloaded to the client, Windows 8 throws up a warning about an untrusted program (MyProgram.exe) and the publisher is not my company name. So, everything is getting signed except for the actual executable.

I've tried adding a post-build script that uses signtool.exe on obj\Release\MyProgram.exe, but when I try to install the application, I get a manifest error stating that the hash values don't match. In other words, the manifest is getting generated before the post-build event.

How do I sign my .exe and maintain the ClickOnce manifest's integrity? Is there a simple way to do this or do I have to use mage.exe on every file, by hand (I hope not)?

Answer 1

Well, no one has jumped on this, but thankfully, I figured it out!

Thanks to this question: "File has a different computed hash than specified in manifest" error when signing the EXE

I was able to edit the project file's XML (Unload the project, then choose "Edit myproject.csproj") and added:

  <Target Name="SignOutput" AfterTargets="CoreCompile">
<PropertyGroup>
  <TimestampServerUrl>http://timestamp.comodoca.com/authenticode</TimestampServerUrl>
  <ApplicationDescription>My Project Friendly Name</ApplicationDescription>
  <SigningCertificateCriteria>/n MyCertName</SigningCertificateCriteria>
</PropertyGroup>
<ItemGroup>
  <SignableFiles Include="$(ProjectDir)obj\$(ConfigurationName)\$(TargetName)$(TargetExt)" />
</ItemGroup>
<GetFrameworkSdkPath>
  <Output TaskParameter="Path" PropertyName="SdkPath" />
</GetFrameworkSdkPath>
<Exec Command="&quot;$(SdkPath)bin\signtool&quot; sign $(SigningCertificateCriteria) /d &quot;$(ApplicationDescription)&quot; /t &quot;$(TimestampServerUrl)&quot; &quot;%(SignableFiles.Identity)&quot;" />

I had to move the signtool.exe file into the SDK folder (C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin, in my case), but after that it worked like a charm!

I hope this helps someone else in the future.