Windows Develop Bookmark and Share   
 index > ClickOnce and Setup & Deployment Projects > ClickOnce, signing manifests, and certification paths
 

ClickOnce, signing manifests, and certification paths

I am attempting to set up an application for deployment via ClickOnce from a website, and apparently am unable to get ClickOnce to correctly sign the manifests.

I obtained a certificate through Thawte. To verify everything was okay with the .pfx file, I created a simple executable, used SignTool with the /f switch to specify the .pfx file to sign it, and then ran it from the web in a test environment. The dialog box asking whether I wanted to run it or not was able to correctly identify my company as the publisher, and in the certificate details dialog, under certification path, it correctly displayed:

Thawte Premium Server CA
Thawte Code Signing CA
My Company LLC


I then created a test application to deploy using ClickOnce, checked 'sign the ClickOnce manifests' on the signing tab in project properties, clicked the 'select from file' button, and chose the same file as used in the previous test. I then published the application and attempted to install it using the same test machine as the previous step. This time, the dialog box asking me whether I wanted to run it or not also seemed to correctly identify my company as the publisher, but when I clicked the hotlink on my company's name, the certificate dialog said "Windows does not have enough information to verify this certificate." On the certification path tab, the two entries for Thawte were missing, and it only showed my company's name with a yellow warning triangle.

I tried repeating the deployment process manually using the instructions for mageui and the walkthrough, and had the same result -- the certificate which worked fine in the first test case seems to be unable to chain back to the root authority when used with ClickOnce.

Has anyone seen anything like this or have any ideas for workarounds/fixes?

Fred h  Wednesday, March 22, 2006 11:21 PM
I am having the same issue with Thawte Code Signing CA.

Wondering is there a resolution to the issue or I have to purchase certificate from VeriSing?

Is anybody reading this thread?
Stoyan Krastev  Saturday, January 10, 2009 3:02 PM
I'm not really certain what your problem is, and why the original post used the SignTool.

First, did you get a pfx file from Thawte, or was it cer and pvk files? If cer and pvk, you can convert these to pfx (look for pvk2pfx I think it was called).

Then in Visual Studio. go into the Signing tab for your main project and select that pfx file. It will add it to the project.

Then deploy your application.

It really should be that simple. If it's not, then you need to talk to Thawte.

RobinS.
GoldMail.com
Ts'i mahnu uterna ot twan ot geifur hingts uto.
RobinDotNet  Sunday, January 11, 2009 10:19 PM
Robin, thanks for your reply.

Before posting this issue I tries all the possible combinations of signing the manifest. I have also tried all the KB recomendations from thawte and microsoft. So here is summary of what I found:

1. The certificate is perfect. It includes correct chain of certificates. All are verifiable. The chain is as described above: Thawte Premium Server CA, Thawte Code Signing CA then My Company LLC.

2. The signing of the add-in is really simple and is conducted in perfect conditions. All the prerequisites for installing the certificate on the development machine that signs the project are verified. I have tried both signing from file PFX and selecting from store - both produce the same result.

3. The product is prefectly signed. The setup.exe is signed which is visible trough Digital Signature properties. I presume the VSTO file is also signed, however I cannot verify that. It has at least the leaf certificate (eg. My Company LLC).

When installing the product, the setup.exe is signed correctly and its certificate includes all the certificate chain.
However the customization (the vsto via the Microsoft Office Customization Installer) deployment reports the error:

"Customized functionality in this application will not work because the certificate used to sign the deployment manifest for<my product name is ommited>is not trusted. Contact your administrator for further assistance."

It appears that there is a bug in one of these areas:

Either the VSTO signing is still buggy and the certificate chain is not included. This is described in many articles for previous version of visual studio tools for office.

Or the Microsoft Office Customization Installer (or one of its components) jumps to conclusion that the certeficate or one of the chain is not valid. Probably it should display UI that asks the user if she trusts the certificate which is not displayed? I have found some articles describing similar issues for previous versions...

I would really appreciate if someone help me dig deeper into the problem. I filed the issue to Thawte also - however both sides claim the problem is in the other side ...

Stoyan Krastev  Monday, January 12, 2009 2:22 PM
P.S. I believe it is not up to the nature. It is something we use to do - we do it for so long so we forgot we can stop doing it. However we could perfectly exist without figuring out the thing (if they work). :)
Stoyan Krastev  Monday, January 12, 2009 3:11 PM
Ok, I'm not sure I can help you (we use Verisign). I do remember reading some stuff in this forum about people having problems with "chained certificates". Mine from Verisign isn't like that, I just have one certificate and I converted it to a pfx and used it, and it worked like a charm.

Apparently the client does not recognize the deployment as signed. That is why it won't install the VSTO add-in.

Have you searched this forum for "thawte" ?

RobinS.
GoldMail.com
Ts'i mahnu uterna ot twan ot geifur hingts uto.
RobinDotNet  Wednesday, January 14, 2009 7:07 AM
I think I'm having the exact same issue that you are. My thread is here:

Signed VSTO Word Plugin Published to Server Won't Install:
http://social.msdn.microsoft.com/Forums/en-US/vsto/thread/44841131-58e7-4b8a-add2-a9cff869b82e

Please let me know if you've learned anything!

thanks,
Brandon

sandover  Wednesday, September 23, 2009 5:49 PM
I have learned something about this. (1) It's just a bug in the dialog. The install should work just fine. (2) They didn't fix it in .NET 4.0.

Here's a link to the thread where I provide the full explanation.

http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/13876bb8-7dbb-4df1-93f8-70ff467ffd4b

RobinDotNet
Click here to visit my ClickOnce blog!
RobinDotNet  Wednesday, September 23, 2009 5:58 PM
Robin,

About the dialog "bug" -- note that Stoyan (writing in January 09) reported no problems with the dialog. He says that "When installing the product, the setup.exe is signed correctly and its certificate includes all the certificate chain." So it sounds as though he CAN click on the publisher name, and he CAN see the complete chain. But the install fails anyway. This is the exact same behavior that I'm seeing with my project (refer to my other posts in this thread and elsewhere). It's the same behavior that the original poster referred to in his post from 2006. The cert chain is visible on the client machine -- but the install STILL fails.

Thus it's not the same issue discussed in the thread that you link above ("ClickOnce installation failed because of intermediate certificate").

Brandon

sandover  Wednesday, September 23, 2009 6:19 PM

Yes, I was wrong about it just being a bug in the dialog. It's a complete muck-up that you have to work around.I posted back the information to your thread in the VSTO forum which is here:

http://social.msdn.microsoft.com/Forums/en-US/vsto/thread/44841131-58e7-4b8a-add2-a9cff869b82e

Someone posted something to that same thread about inclusion lists. I haven't tried that. I wonder if you can take that small console application and deploy it as a prerequisite to the VSTO Add-In installation. If you do try that, let me know if it works. I'd go muck around with it, but I don't expect to have time before 2nd week of October. If I do manage to carve out a slice of time to try it, I'll let you know.

RobinDotNet

Click here to visit my ClickOnce blog!
RobinDotNet  Friday, September 25, 2009 3:10 AM

You can use google to search for other answers

Custom Search

More Threads

• wmi error code 0x800706bf
• copyright
• Configuration Tool error
• The remote server returned an error: (401) Unauthorized.
• Moving ClickOnce Deployment Location
• Upgrade issue with COM Interop using Setup project created in VS2008
• How can I simulate a clickonce installation using MSI installer and Clickonce APIs ?
• Service Application problemssss
• Type Initialization Error in Win Service
• Click once- my.settings
Home          Copyright 2009-2010 by windowsdevelop.com All rights reserved