Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using Authenticode with a ClickOnce WPF application

All right, I'm not doing something right, and I need some help. Here's what's happening:

  1. I have a "real" Authenticode certificate from Comodo that I have paid for.
  2. I'm trying to sign and deploy a WPF application written in Visual Studio 2012 and .NET 4.5.
  3. In the properties of the project, I have checked "Sign the ClickOnce manifests" and have chosen my certificate.
  4. I'm also using Comodo's timestamp sever (http://timestamp.comodoca.com/authenticode)
  5. In the Publish tab and under the Prerequisites button, I have checked "Create setup program to install prerequisite components".

When I build and publish, everything works! The setup.exe is signed with my Comodo certificate, so that's good. Also, the .application file is signed with the Comodo certificate and my company name shows as the publisher -- this is also good.

Here comes the problem: Once the application is downloaded to the client, Windows 8 throws up a warning about an untrusted program (MyProgram.exe) and the publisher is not my company name. So, everything is getting signed except for the actual executable.

I've tried adding a post-build script that uses signtool.exe on obj\Release\MyProgram.exe, but when I try to install the application, I get a manifest error stating that the hash values don't match. In other words, the manifest is getting generated before the post-build event.

How do I sign my .exe and maintain the ClickOnce manifest's integrity? Is there a simple way to do this or do I have to use mage.exe on every file, by hand (I hope not)?

like image 655
Jason Williams Avatar asked Jan 10 '13 05:01

Jason Williams


People also ask

How do I manage updates for a ClickOnce application?

Click the Publish tab. Click the Updates button to open the Application Updates dialog box. In the Application Updates dialog box, make sure that the check box The application should check for updates is selected. In the Choose when the application should check for updates section, select After the application starts.

Is ClickOnce still supported?

ClickOnce and DirectInvoke in Microsoft Edge | Microsoft Learn. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.


1 Answers

Well, no one has jumped on this, but thankfully, I figured it out!

Thanks to this question: "File has a different computed hash than specified in manifest" error when signing the EXE

I was able to edit the project file's XML (Unload the project, then choose "Edit myproject.csproj") and added:

  <Target Name="SignOutput" AfterTargets="CoreCompile">
<PropertyGroup>
  <TimestampServerUrl>http://timestamp.comodoca.com/authenticode</TimestampServerUrl>
  <ApplicationDescription>My Project Friendly Name</ApplicationDescription>
  <SigningCertificateCriteria>/n MyCertName</SigningCertificateCriteria>
</PropertyGroup>
<ItemGroup>
  <SignableFiles Include="$(ProjectDir)obj\$(ConfigurationName)\$(TargetName)$(TargetExt)" />
</ItemGroup>
<GetFrameworkSdkPath>
  <Output TaskParameter="Path" PropertyName="SdkPath" />
</GetFrameworkSdkPath>
<Exec Command="&quot;$(SdkPath)bin\signtool&quot; sign $(SigningCertificateCriteria) /d &quot;$(ApplicationDescription)&quot; /t &quot;$(TimestampServerUrl)&quot; &quot;%(SignableFiles.Identity)&quot;" />

I had to move the signtool.exe file into the SDK folder (C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin, in my case), but after that it worked like a charm!

I hope this helps someone else in the future.

like image 149
Jason Williams Avatar answered Oct 19 '22 08:10

Jason Williams