Windows Develop Bookmark and Share   
 index > ClickOnce and Setup & Deployment Projects > Signing the Assembly Manifests
 

Signing the Assembly Manifests

I am getting this error at Install time:

PLATFORM VERSION INFO
 Windows    : 5.1.2600.131072 (Win32NT)
 Common Language Runtime  : 2.0.50215.44
 System.Deployment.dll   : 2.0.50215.44 (beta2.050215-4400)
 mscorwks.dll    : 2.0.50215.44 (beta2.050215-4400)
 dfdll.dll    : 8.0.50215.44 (beta2.050215-4400)
 dfshim.dll    : 2.0.50215.44 (beta2.050215-4400)

SOURCES
 Deployment url   : http://install.inventorymanager2005.com/InventoryManager2005.application

ERROR SUMMARY
 Below is a summary of the errors, details of these errors are listed later in the log.
 * Activation of http://install.inventorymanager2005.com/InventoryManager2005.application resulted in exception. Following failure messages were detected:
  + Exception reading manifest from http://install.inventorymanager2005.com/InventoryManager2005.application: the manifest could be invalid or the file could not be opened.
  + The manifest has no XML signature.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
 No transaction error was detected.

WARNINGS
 There were no warnings during this operation.

OPERATION PROGRESS STATUS
 * [15 Jun 2005 16:53:50 -05:00] : Activation of http://install.inventorymanager2005.com/InventoryManager2005.application has started.

ERROR DETAILS
 Following errors were detected during this operation.
 * [15 Jun 2005 16:53:51 -05:00] System.Deployment.Application.InvalidDeploymentException (ManifestParse)
  - Exception reading manifest from http://install.inventorymanager2005.com/InventoryManager2005.application: the manifest could be invalid or the file could not be opened.
  - Source: System.Deployment
  - Stack trace:
   at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
   at System.Deployment.Application.DownloadManager.DownloadManifest(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ManifestType manifestType, ServerInformation& serverInformation)
   at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirect(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
   at System.Deployment.Application.DownloadManager.DownloadDeploymentManifest(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, IDownloadNotification notification, DownloadOptions options)
   at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut)
   at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
  --- Inner Exception ---
  System.Deployment.Application.ValidationFailedException (Unknown subtype)
  - The manifest has no XML signature.
  - Source: System.Deployment
  - Stack trace:
   at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
   at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)

COMPONENT STORE TRANSACTION DETAILS
 No transaction information is available.


Am have never signed any code before in my life. How do I sign the assemblies in my program (i need details - I do know how to get to the UI page for signing them)

FYI: I have a 2048bit Authenticode certificate from InstantSSL for Black River Software but do not know how to use the .pfx I generated in pvkimprt or how to generate a relevant .snk file to sign assemblies with.

I assume that this needs to be used to sign the assemblies. But the closet I've gotten to doing it with this certificate it kept telling me that it couldn't find the key and certificate. Do they have to be stored in the same location that the binaries are written to? I really need someone to be clear on this and walk me through it.

Please, please help

JBrown9264  Wednesday, June 15, 2005 9:56 PM
Jared,
Believe there were some problems in the pre-released products (beta2) around strong name signing the assembly and Click Once publishing.  You do not need to strong name (sign) your assembly to publish it.  You essentially only need to sign the assembly if you are installing it to the GAC or you are referencing other signed assemblies in your application. 

It sounds like in your scenario that you do not need to sign the assembly before you publish it.  The main thing is that when someone is "installing" your application that they will be able to "Verify" that it is coming from your since the CO Manifest is signed with your certificate.

Hope this helps!
-Robert Schoen (MS Visual Basic QA)
RSchoe-MSFT  Friday, November 04, 2005 5:24 PM
It is true that you don't HAVE to sign assemblies with ClickOnce deployment. In fact, because new versions are deployed to a separate directory on the client machine, it is similar to XCOPY deployment where all assemblies are loaded from within the deployment directory (not the GAC).

Still you SHOULD sign all .NET assemblies in order to take advantage of important security features of .NET. Only signed assemblies, for example, are verified by the runtime, to insure that they have not been tampered with. Although the directory structure is obscure, it is still remotely possible for a malicious attacker to overwrite assemblies in the ClickOnce deployed directories, and cause havoc. If  assemblies are strongly named, they can't do this.
Michele Leroux Bustamante  Monday, November 07, 2005 7:22 AM

Cool! 
Here is also a pretty good msdn topic around this subject of assembly strong name signing that could be helpful for those deciding to strong name sign their assemblies! 

http://msdn2.microsoft.com/en-us/library/h4fa028b(en-US,VS.80).aspx

Robert Schoen (MS Visual Basic QA)

RSchoe-MSFT  Thursday, November 10, 2005 7:34 PM

1. Signing Assemblies.
You can use the sn utility to strong name sign your assemblies
sn -k mykeyfile

Or
In VS2005 choose the Project->Properties->Signing page.
Check Sign the assembly.
Choose a strong name key by browsing.

Note: To generat a strong name use the sn utility.
sn -k mysn.snk

2. Signing ClickOnce Manifest.
In VS2005 choose the Project->Properties->Signing page.
Check Sign ClickOnce Manifest.
Select the signing key you obtained from InstantSSL using the Select From file button.

Or you can use the SDK took called Mage
mage -sign manifestFile -cf certfile.pfx.

Let me know if you have any questiosn.

Thanks,
Sameer

Sameer Murudkar - MSFT  Wednesday, June 15, 2005 11:00 PM

I think I understand the process as described by you and in the MSDN pages. I understand that the strong name is a private key / public key pair that I simply create by going to 'New' in the drop down or by using sn.exe (I've been using the latter).

But the problem is that I can not get the application to install if I sign the assemblies with their own .snk's or if I use the same one I created in sn.exe for each. I am storing the .snk in each of the assemblies folders where the modules are. (I do not mean ../bin/* I mean the directory for each assembly under the solution)

The problem is that I keep getting that manifest error I copied and pasted into several threads here.

If I uncheck sign assembly it all works great so I know that my InstantSSL Authenticode is working.

I am really starting to get baffled. Furthermore should I even be bothering to sign the assemblies? I am not prompted during ClickOnce installs that the assemblies are not signed. So should I just stop trying to get this to work.

Also, some forums and sites say I should include a keyfileattribute string in the assembly files themselves, but VS2005 Beta 2 did not like this.

Any extra info you give or a walk through would be very helpful.

JBrown9264  Wednesday, June 15, 2005 11:41 PM

Hi Jared,

I just installed your app, from the URL you mentioned, on a Whidbey Beta2  build and it installs and run fine. I don't see any issues.

>>>should I even be bothering to sign the assemblies?
It is not necessary to sign assemblies for ClickOnce deployment to work. That does not mean that strong name signed assemblies don't work with ClickOne. The problem you have mentioned is realated to manifest signing and not assembly signing.

>>>If I uncheck sign assembly it all works great so I know that my InstantSSL >>>Authenticode is working.
Can you elaborate what you mean it works. Does the application install and run or do you mean that the strong name signing works.


Thanks,
Sameer

Sameer Murudkar - MSFT  Thursday, June 16, 2005 5:55 AM
">>>If I uncheck sign assembly it all works great so I know that my InstantSSL >>>Authenticode is working.
Can you elaborate what you mean it works. Does the application install and run or do you mean that the strong name signing works."

Response: What I mean is that I am able to install it, as you have found to be true as well.

The problem I am still having is that if I opt to sign my assemblies with a .snk built by sn.exe or by choosing 'new' then it proceeds to build, publish, but I am unable to install it because of the error I have copied and pasted above.

On a side note: I signed up for and received Beta 2 by mail, but it is the original snapshot of Beta 2. Is there a way to get updates, patches, or new builds so as more things are fixed the IDE can be updated?
JBrown9264  Thursday, June 16, 2005 6:01 PM
Jared,
Believe there were some problems in the pre-released products (beta2) around strong name signing the assembly and Click Once publishing.  You do not need to strong name (sign) your assembly to publish it.  You essentially only need to sign the assembly if you are installing it to the GAC or you are referencing other signed assemblies in your application. 

It sounds like in your scenario that you do not need to sign the assembly before you publish it.  The main thing is that when someone is "installing" your application that they will be able to "Verify" that it is coming from your since the CO Manifest is signed with your certificate.

Hope this helps!
-Robert Schoen (MS Visual Basic QA)
RSchoe-MSFT  Friday, November 04, 2005 5:24 PM
It is true that you don't HAVE to sign assemblies with ClickOnce deployment. In fact, because new versions are deployed to a separate directory on the client machine, it is similar to XCOPY deployment where all assemblies are loaded from within the deployment directory (not the GAC).

Still you SHOULD sign all .NET assemblies in order to take advantage of important security features of .NET. Only signed assemblies, for example, are verified by the runtime, to insure that they have not been tampered with. Although the directory structure is obscure, it is still remotely possible for a malicious attacker to overwrite assemblies in the ClickOnce deployed directories, and cause havoc. If  assemblies are strongly named, they can't do this.
Michele Leroux Bustamante  Monday, November 07, 2005 7:22 AM

Cool! 
Here is also a pretty good msdn topic around this subject of assembly strong name signing that could be helpful for those deciding to strong name sign their assemblies! 

http://msdn2.microsoft.com/en-us/library/h4fa028b(en-US,VS.80).aspx

Robert Schoen (MS Visual Basic QA)

RSchoe-MSFT  Thursday, November 10, 2005 7:34 PM

You can use google to search for other answers

Custom Search

More Threads

• Closing a program upon Uninstall
• How to Get ClickOnce Publishing to Use Build Configuration Files
• VB2005 and ClickOnce. Stuck installing .net 3.5 sp1 over and over and over
• MSI execution throgh command line
• access javascript functions from web browser control
• ClickOnce on MSN
• ClickOnce Cache Location - how to change?
• Try my weather program!
• User interface editor question in Visual Studio 2005 setup project
• Multiple installations of the nearly-the-same ClickOnce application
Home          Copyright 2009-2010 by windowsdevelop.com All rights reserved