VS2012 .NET 4.0 Clickonce VSTO CryptographicException: SignatureDescription could not be created for the signature algorithm supplied

Question

I have a VS2010 .NET 4.0 VSTO Outlook Addin project that I wish to migrate to VS2012 (but keep it in .NET 4.0). It compiles fine, and runs from inside the IDE just fine, but when I attempt to run the published ClickOnce installer, I get the following exception:

System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file://MyPath/MyAddIn.vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.

Based on my tests and online research (here and there), it appears that just having VS2012 installed on my machine (whether I publish from VS2010 or VS2012) forces the ClickOnce installer to require a SHA1 certificate when using .NET 4.0. My existing SHA256 certificate works perfectly fine with .NET 4.0 when compiled using VS2010 (without VS2012 installed).

• I can't upgrade clients to .NET 4.5 because this is a VSTO40 project (runs on XP/Office 2007).
• I can't uninstall VS2012/.NET 4.5 on local machine because I have other projects that need it.
• I can't easily downgrade my certificate from SHA256 to SHA1.

Are there any other suggestions to allow me to move forward?

Answer 1

I had this exact same error message and was using VS 2013, .NET 4.5, and signing everything correctly with SHA256.

Finally, I found that an older version of VSTO 2010 Runtime was installed (10.0.40303). Once we updated it to 10.0.40820 everything worked fine. Really hope this helps someone, drove me absolutely bonkers for days trying to figure out what was going on.

Answer 2

I solved my problem by creating a new certificate that is used to sign the ClickOnce manifest and generated it using the SHA1 algorithm. You can see the conversation here: http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/eba424ae-f7b7-4530-bb68-db3b9972a31e

Edit 2014-Aug-05:
Visual Studio 2013 Update 3 finally fixes this problem.
http://support.microsoft.com/kb/2933779
From Fixed Issues -> General:

You can use SHA 256 code-signing certificates even for applications that target the .NET Framework 4.0 or an earlier version. Before this update, the .NET Framework 4.5 had to be present on the client computer when a SHA 256 code-signing certificate was used for desktop applications published with ClickOnce or Visual Studio Tools for Office add-ins. If you have used SHA 256 code-signing certificates in the past, and have seen errors such as "The application is improperly formatted," "The manifest may not be valid," "Manifest XML signature is not valid," or "SignatureDescription could not be created for the signature algorithm supplied," this update resolves the problem for re-published and newly-published applications.

Answer 3

Same with Visual Studio 2012 RTM. When i deploy the application in a clean Windows 7 ultimate machine i have "SignatureDescription could not be created for the signature algorithm supplied" Exception. Problem solved after the installation of .Net Framework 4.5 on the deployment machine.