I am trying to publish a small Microsoft Office customization using Visual Studio 2013. I purchased a code-signing certificate from GoDaddy (issued by Starfield Technologies) and used it to sign the program. However, when a user tries to install the ClickOnce Manifest, they get the following error:
Customized functionality in this application will not work because the
certificate used to sign the deployment manifest for RiskMP or its
location is not trusted. Contact your administrator for further
assistance.
The program is being downloaded from the same server from which the private key was generated and the same URL that was specified in the publish.
The only solution I have found so far is to add the URL to the list of trusted sites in IE internet options, but this isn't a very good solution as it requires a lot of steps on the part of the user. I'd like to simplify this installation as much as possible. Any help is greatly appreciated.
Related
So I built an Outlook VSTO Add-in, and in visual studio on the signing page selected a valid certificate which was bought from a Cert Authority. When I publish the add-in, it all works fine and the installer is trusted.
Here's where it gets weird - When I zipped and emailed it to a colleague they found that the application had an unknown publisher. So I downloaded it from the email I sent them on my pc (the one I built the app with) and sure enough the certificate seemed to be untrusted. Zipping and unzipping the files that I already had locally worked fine and the app was trusted, but the exact same file taken from my email is untrusted.
I'm completely baffled, don't even know how to start googling this issue - anyone got any ideas?
Figured out the answer for anyone else that runs into this problem.
The hash used by VS when creating a clickonce application is SHA1 (yes, even with VS2019), but SHA1 was depreciated by MS in 2017, meaning anything signed using it is not trusted by later versions of office. Thus you have to publish an unsigned clickonce application with Visual Studio, and then use the "Developer Command Prompt for VS" to sign the .exe with the cert using SHA265.
I want to add a desktop (WPF) application to the Windows Store using the Desktop Bridge (MakePri, MakeAppx). I have tested my build process using a self-sign certificate and all is well.
However, I cannot find any information stating whether I need an Extended Validation (EV) certificate or if an Organization validated (OV) certificate is sufficient. I know an OV certificate can cause SmartScreen warnings for installer .msi packages.
I also found old links (relating to Windows 8 apps) which say that the store does not use SmartScreen. But I cannot find anything relating to Windows 10 desktop apps packaged via the Desktop Bridge.
Will an OV certificate cause SmartScreen warnings when my converted application is downloaded from the store?
You don't need to use a valid certificate to publish your app to the Store. You just need to sign it with a test certificate. When you upload it to dev. center, it will be signed by Microsoft to be distributed through the Store.
I couldn't find a documentation that clarifies this, just saying it by my own experience. There are some notes here:
To test your app in a realistic setting as you prepare for
distribution, it's best to sign your app and then install it.
Visual Studio signs your app by using a test certificate. You'll find
that certificate in the output folder that the Create App Packages
wizard generates. The certificate file has the .cer extension and
you'll have to install that certificate into the Trusted Root
Certification Authorities store on the PC that you want to test your
app on.
Also if you use the new update of Visual Studio, you can create Desktop Bridge apps and publish them to the Store entirely through Visual Studio using the Windows Application Package project. It means you don't need to manually pack and sign it, VS does it for you.
Edit
Your users do not see an Smart Screen anyways. It makes sense since your app cannot run with administrator privileges. If your app needs a functionality that requires admin privileges, you need to consider it before moving forward.
I have an application in a test environment and when I install it in my computer all work correctly, but when others users installs it some of them works and others fails. When it fails, it displays this error: customized functionality in this application will not work because the certificate used to sign the deployment manifest for appname o its locations is not trusted. Contact your administrators for further assistance.
In addition, I created a test certificate, using visual studio 2015, to sing the application. The application is an add-in using VSTO.
The app is downloaded from a web server into my company, also it uses two web services.
Here is a photo of the error
Get a proper certificate or install the certificate you used onto the computers that you want this app to trust. The whole concept of having to sign the cert is to prevent accidental installations of untrusted applications. In order for that to work the machines you're installing to need to first trust the cert.
You will need a Code Signing certificate and sign the Click-Once package using that cert. You may still need to distribute the trusted cert to the machines somehow (depending on how those are setup).
Using VS2013 and Windows 8.1
I have a .cer and .pfx file bought from Verisign. I am new to store apps. I have couple of questions
What is the difference between signing the package and code signing (done using the VS 2013 packaging tab of Package.appxmanifest) -
my understanding so far
(a) I guess this is similar to using signtool.exe tool right?
(b) both will install the public key(.cer) to certificate store(mmc) and sign the appx with private key(.pfx) so i would need to manually install .cer file in the live machines inorder to install my app?
(c) Code is signing is done in order to ensure the code has not been tampered with but do we need to do this for all main store app and other components used part of dfferent project (.dll)
Do we need both package and code signing inorder to publish store apps on client machine?
I can't use the same .pfx used for package signing for code signing because of some chaining information. Is this how it is supposed to used different .pfx for both is this a normal way?
For the regular Windows Store apps:
You don't need to sign windows store apps manually.
No. Windows Store will sign the package automatically.
Code signing is for Windows Classic apps or drivers and not for Windows Store apps.
For the sideloaded apps:
Windows store enterprise apps can be signed by any certification authority that is trusted on your PCs (where the app will be installed). It's better to sign with visual studio. There is documantation for an exact procedure.
If you will sign with Verisign certificate, you don't need to install anything except the app, because verisign root is already trusted in Windows. Visual studio signs only application package.
I am looking to release an excel addin I built on my website, which the user's will download and install. It also has an auto update feature.
My problem is when the auto update feature runs it is not allowed save files to the user's machine because I dont have any code signing certificate I assume.
So, right now I am looking for a trial version of code signing certificate.
Does any one know about these things ?
Thanks in advance !!!
You can use SSL certificate. There are millions of SSL certificates available for free and trial version in the market. Google for SSL certificates.