8

I am working on deploying a ClickOnce Application build on .NET 4.5 Here are the facts:

  1. I have a valid Comodo Authenticode Certificate
  2. The certificate is installed in my local cert store
  3. The project properties for "Signing" tab show that the certificate should be used for signing the manifest (I'm not even yet trying to sign the Assemblies for .NET)
  4. The proper timestamp server URL is entered for comodo
  5. On the Publish tab, the settings are very typical:
  6. Publish to a UNC path
  7. Installation folder is a URL mapped to that path in IIS

However, no matter what I do, when I use the "Publish Now" button to actually publish the ClickOnce application, all of the file get published, but when I download the "Setup.exe", it ALWAYS says "Unknown Publisher".

Any ideas on what I'm doing wrong? I have been researching this for several weeks and I have read through enough to believe that I'm doing it "correctly", but I just must be missing some small checkbox or setting, or something of course.

Any help appreciated.

-- W.G.

Will Gillen
  • 93
  • 1
  • 4
  • I found the reason that it wasn't able to sign the manifest. Our certificate was revoked. There was no message from Visual Studio during publishing, but when I tried to manually sign the setup.exe I got a generic error. So, I used certutil to verify our certificate and saw that the cert was showing a revocation from the issuer's CRL. We are working with the issuer to find out why.... – Will Gillen May 09 '15 at 22:25
  • I have exactly the same scenario. But when I try to manually sign the setup.exe I got no error. Same outcome as Visual Studio have. Everything fine. But I still get the "unknown publisher". I am only signing the ClickOnce manifests and I double check the "publisher name" is in the "publish" tab is exactly the one in the certificate. @Arin answer did no work for me. Any ideas? – Igor Kondrasovas Nov 06 '20 at 12:21

5 Answers5

11

Far as I know the "Unknown Publisher" keys off the code-signing, which Visual Studio doesn't provide an interface for. Oh, it does have signing interfaces, but only for manifest signing and strong-name assembly signing. This other question mentions the three signings, too.

To get the "Unknown Publisher" replaced with your org name, you'll have to add a bit of XML to your .csproj or .vbproj file. Right before the closing </Project> tag, you'll need to call SignTool.exe, which I manually copied to my solution's main Bin folder (If you don't have it, it's part of the Windows SDK). Here's what mine looks like:

  <!-- This section is used for code-signing the application. This should not be confused with manifest signing or with strong-name assembly signing, which can both be done from the Visual Studio interface. -->
  <Target Name="SignOutput" AfterTargets="CoreCompile">
    <PropertyGroup>
      <TimestampServerUrl>http://timestamp.verisign.com/scripts/timstamp.dll</TimestampServerUrl>
      <ApplicationDescription>A.Franklin's Awesome App</ApplicationDescription>
      <SigningCertificateCriteria>/sha1 0c0ff5e29404b7d78q2517f487da0b1a0912c4da</SigningCertificateCriteria>
    </PropertyGroup>
    <ItemGroup>
      <SignableFiles Include="$(ProjectDir)obj\$(ConfigurationName)\$(TargetName)$(TargetExt)" />
    </ItemGroup>
    <Exec Command="&quot;$(ProjectDir)..\Bin\SignTool&quot; sign $(SigningCertificateCriteria) /d &quot;$(ApplicationDescription)&quot; /t &quot;$(TimestampServerUrl)&quot; &quot;%(SignableFiles.Identity)&quot;" />
  </Target>

To get the hash code (the "0c0ff5..." above) for my certificate, which I already had installed on my machine, I

  1. Ran certmgr.msc and opened Certificates – Current User > Personal > Certificates
  2. Double-clicked the certificate I wanted and clicked the Details tab
  3. Used Ctrl-C to copy the value for Thumbprint (which looked like "0c f0 f5..."), except for the first character. There’s an invisible character in this textbox that gets copied along with the first character, and it messes up your script later on. So manually type the first character (a "0" in this case), then paste the value from this dialog box. If you get the error, "Invalid SHA1 hash format: ?0c 0f f5..." in Visual Studio, that question mark means the invisible character is there.
  4. Manually type the first character, then paste the value from this dialog box. Delete all spaces, so that it looks like 0c0ff5..., and make the line look like the SigningCertificateCriteria code above.

You could use SignTool.exe manually too, but for me this setup runs it transparently during each compile.

Community
  • 1
  • 1
Arin
  • 1,373
  • 2
  • 10
  • 23
  • While I did figure out why the publish process wasn't able to sign the manifest, this is a very useful process that you've outlined. I'm going to go ahead and mark this answer as the best answer that I've seen. Thanks! – Will Gillen May 10 '15 at 15:23
1

It's not that complex.

1st, you need to just sign the manifest using your cert.

2nd, you need to install that cert to "Trusted Root Certification Authorities" store on your client PC, this you can do by checking your cert detail and then install following the wizard, ensure you choose the right store.

This step will change the unknown publisher to the name in your cert.(As the publisher is now in your trusted root CA, so it's no longer "unknown") but you will still have the prompt to asking for installation confirmation.

3rd, you can again install the cert to "Trusted Publisher" store on your client PC, then the publisher is trusted publisher, you will no longer get prompt, the installation will just happen.

Hope this will help someone still facing the issue.

Harry Hu
  • 62
  • 2
  • This worked for me. After installing the certificate in the local 'Trusted Root Certificate Authorities' store the publisher name appeared when running the .exe installer. – Amy Nov 30 '22 at 19:47
0

Check whether your application manifest is being used for trust information (i.e. publisher name). If it is, make sure the publisher name matches who the certificate was issued to EXACTLY. If it does not match, you'll get an "unknown publisher" issue. This setting is located in Visual Studio in the "Publish" Tab. Click the "Options..." button, followed by the "Manifests" list item.

enter image description here

Try unchecking the "Use application manifest for trust information" and republish to see if the issue is resolved. If you do need the option checked, click the "Description" tab and make sure the "Publisher name" value matches the value of the name the code signing certificate is issued to EXACTLY.

Make sure publisher name matches who the code signing certificate was issued to

Jakal
  • 62
  • 2
  • 13
0

In my case, I was using old Comodo's Timestamp server. As of now, Comodo is now Sectigo and they made changes to their timestamp server, so now they use RFC3161 by default instead of Authenticode. So I've just had to change Signtool.exe parameters to fit the new server, changing the parameter /t with /tr using the new url, and adding parameter /td to specify the hash algorithm. This change was made editing the .csproj file before the </project> closing tag.

Old code:

<Target Name="BeforePublish">
<Exec Command="&quot;C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe&quot; sign /f &quot;$(ProjectDir)MyCert.p12&quot; /t http://timestamp.comodoca.com/authenticode /p CertPassword /v &quot;$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)&quot;" />

New Code:

<Target Name="BeforePublish">
<Exec Command="&quot;C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe&quot; sign /f &quot;$(ProjectDir)MyCert.p12&quot; /tr http://timestamp.sectigo.com /td SHA256 /p CertPassword /v &quot;$(ProjectDir)obj\$(ConfigurationName)\$(TargetFileName)&quot;" />

Source: Sectigo's Timestamp Server Info

Jairo Ramírez
  • 41
  • 3
-1

First you must publish to a website in IIS not a UNC path. Publish to the folder the site is pointing to.

Second import the certificate into the Trusted Root Certificate Authorities Folder on MMC console.

And then finally when signing the manifest choose Select From Store on the Signing Tab in Visual Studio. I got this to work with a Test Certificate.

I hope it helps.

Thanks

Stewart Itopia
  • 1
  • 1