I've made an application with test certificate and installer(with InstallShield limited edition).
In signing option of my project I've chosen options
* Sign the ClickOnce manifests,
* Sign the assembly.
In the installer project in signing tab I've chosen the same digital certificate file, entered password, and option sign output files : Setup.exe and Windows Installer Package.
Option Sign Files in Package is not available. So after installing my program, only Setup.exe and msi file are signed. How to make another exe files and assemblies with digital signature?
If you are referring to the assemblies you are installing, you need to sign them before building the installer. Visual studio can sign, or you can set up a post build step to sign them manually with signcode.
I recommend visual studio.
http://msdn.microsoft.com/en-us/library/9sh96ycy(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/ms247123(v=vs.90).aspx
Related
I know this question has been asked a lot. I already tried many of the solutions in other questions, but is not working.
The application target framework is 4.5.2.
I'm working on Windows 7 with Visual Studio Community 2017.
The certificate is a code signing certificate from Sectigo. Standard version (not EV).
I'm using the Signing tab on Project properties to sign the application.
I'm publishing to a folder in my machine after that I upload the published files to a web server.
When I check the properties of the setup.exe and myApp.exe both are signed and timestamped correctly or at least it seems so.
Also, the myApp.application file in \path\publish_folder\, the \path\publish_folder\Application Files\myApp_1_0_0_0\myApp.application file and the \path\publish_folder\Application Files\myApp_1_0_0_0\myApp.exe.manifest have the <publisherIdentity> tag that matches with the certificate.
Everything seems good, even when I download the application and run the setup.exe I get the following warning, which is ok:
When setup.exe is executed is published is presented right but after the setup.exe calls myApp.application then it shows this warning with "Unknown Publisher" and that is the problem:
I tried installing the certificate in the "Trusted Root Certification Authorities" store, as well as in the "Trusted Publishers" store and in the "Personal" store, and publish the application again but the same thing happens.
In other questions said that the visual studio signing tab only sign the manifest but no the executable, as you can see this is not my case (setup.exe and myApp.exe have the digital signatures correctly) but even though I decided to try signing using signtool sign command (C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe) and build/publish events as theses answers proposed without luck:
.NET ClickOnce Signing results in "Unknown Publisher"
https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/
I think the only thing I'm missing to try is the "sign assembly" option (checkbox in Signing tab in Visual Studio), but when I do it the first time I get the error:
Cannot import the following key file: myKey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_5578EF228F7A794C myApp
Then the second time I try I get this error:
Error importing key: An attempt was made to reference a token that does not exist
I signed the application and made the publish using Visual Studio Professional 2019 and it worked. Now it still shows the warning but with the publisher correctly in both warnings.
I have a C# Visual Studio 2013 solution (FindAlike) consisting of a number of projects. One of these projects (SimilarFiles) is a class library, including an AddIn Express component, as it implements an MS Office Add-in. When I publish the project as a ClickOnce installer an MS Add-in, a folder is created in the projects Publish folder with the version number of the project containing many files with extension .deploy. Also in the folder above are a file called findalike.application and one called setup.exe. If I copy the contents of the Publish folder to a new machine I can install the MS Add-in by clicking on findalike.application, but I receive a warning about an unknown publisher. If I confirm installation it proceeds satisfactorily.
I have a valid code signing certificate purchased from Comodo, which I use successfully with SignTool to sign a Windows Forms self-extracting installer from another project in the solution.
The option to sign the ClickOnce Manifest in the SimilarFiles project is greyed out, presumably because SimilarFiles is a class library project.
I can specify a code signing certificate by right-clicking on the SimilarFiles project and hovering over the Add-in Express entry and then selecting Signing Options, but the warning message still appears when I attempt the installation on a new machine
How can I use the code signing certificate in order to indicate to the ClickOnce installer on the new machine that the manifest is signed?
Signtool does not work on the setup.exe file, stating that it is not a valid Windows executable. Neither does it work on findalike.application
There is a Signing area on the VS Publish form which I'd missed. If I browse for my Code Signing Certificate (.pfx extension) and select SHA-1 only it signs OK, and install proceeds without warning. Thanks to Add-In Express for this solution.
I have tried the following on a C#-based Outlook addin called myaddin following this article:
mage –update myaddin.manifest –certfile mycert.pfx
mage.exe –update myaddin.vsto –appmanifest myaddin.manifest –certfile mycert.pfx
I can install it by manually creating registry keys that specify the path to myaddin.vsto with the supplied |vstolocal suffix under Software\Microsoft\Office\Outlook\Addins\myaddin and it works to install and run myaddin that way, however, some customers complain that when they run Outlook it starts the ClickOnce installer for myaddin.vsto and gives an error, but this should not happen with |vstolocal.
I was able to reproduce this problem by double-clicking myaddin.vsto, so I checked the myaddin.dll.manifest file and saw that there was a ClickOnce developer certificate referenced there. Could it have been confusing Outlook? I was able to get rid of this ClickOnce developer certificate reference by using a newer .NET 4.5 version of mage.exe to update the manifest. Now, if I double-click myaddin.vsto, it says that the publisher is not verified and gives me an install button.
Is this the proper way to go about the signing process and the installation process of an Office addin? Why does it complain that the publisher is not valid?
What is the version of VSTO on your development machine ?
Ensure that it is at the least 10.0.50903
I created a new pfx file for signing assemblies, using Visual Studio's (2010) automated "new" option. I then copied it to another project - and it doesn't prompt me for a password. I checked, and the assembly is signed.
So it seems that anyone who has the file can sign assemblies with it. Or is there a way to secure it?
I have both VS2008 and VS2010 Setup projects that create .MSI files. On server 2008, I get warnings that the apps are not "trusted". How can I bake-in trust for the apps I build with Visual Studio?
Thanks.
I think they have to be digitally signed.
You need to get a software publisher certificate to sign your msi with. You can purchase one from Verisign or GoDaddy.com or others.
Here is a link to one option: http://www.godaddy.com/ssl/code-signing-certificate.aspx