ClickOnce VSTO solution signed with mage.exe - certificate not trusted error
Asked Answered
P

4

9

I'm trying to deploy a VSTO solution, which are 2 addins for Word and for Outlook, using ClickOnce. Due to our deployment infrastructure/practices, I cannot publish it using Visual Studio, it is instead built on a build server and deployed via a deployment server.

For local development, a self-signed certificate is used. The deployment worked with this self-signed certificate (if the the self-signed certificate was installed on the machine), but now I want to add a real company certificate so that the application can be deployed to the users.

During deployment, after the configuration files are poked, they are updated and re-signed with the real certificate. However, this produces the following error during installation:

System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for <app name> or its location is not trusted. Contact your administrator for further assistance.
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA1Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
    The Zone of the assembly that failed was:
    MyComputer

The only lead I have is that, after re-signing, the values in publisherIdentity element are not changed (both .vsto and .manifest), only the Signature element has values corresponding to the new certificate.

Following commands are used to sign the .vsto and .manifest files (as far as I can see from the deployment scripts):

mage.exe -Update "[path to .vsto/.manifest]"
mage.exe -Sign "[path to .vsto/.manifest]" -CertHash [certificateHash]

where [certificateHash] is the thumbprint of the real certificate and is used to look up the certificate in certificates stores. I'm told this is security measure so that the certificate file doesn't have to be distributed along with the deployment package.

After signing, the files have their Signature values changed, but the publisherIdentity still has the name and issuerKeyHash of the self-signed certificate.

I tried poking these two values prior to re-signing, but I'm don't know how to calculate the issuerKeyHash.

Any advise on how to proceed would be much appreciated!

Edit:
I was trying out other mage.exe parameters, like '-TrustLevel FullTrust' (which didn't have any effect) or '-UseManifestForTrust True' along with Name and Publisher parameters, which yielded this error message (which is different than the one mentioned above).

************** Exception Text **************
System.InvalidOperationException: You cannot specify a <useManifestForTrust> element for a ClickOnce application that specifies a custom host.
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

.

Penney answered 25/2, 2015 at 13:29 Comment(1)
I have edited the post and added additional details on how I was trying to fix the problem.Penney
P
1

We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.

Penney answered 27/2, 2015 at 16:22 Comment(0)
T
21

The certificate that the app is signed with isn't trusted by Windows. As a work around,

  1. Right click on setup.exe,
  2. Select properties then the Digital Signatures tab
  3. Select Vellaichamy/user then click Details
  4. Click View Certificate and Click Install Certificate.

Do not let it automatically choose where to store the sert, install the certificate in the Trusted Root Certification Authorities Store. Once the cert is installed the app should install...

Tetrafluoroethylene answered 30/6, 2015 at 12:29 Comment(0)
D
2

Take a look at the Granting Trust to Office Solutions article which states the following:

If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list.

For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.

Also you may find the Deploying an Office Solution by Using ClickOnce article helpful.

Downwind answered 25/2, 2015 at 14:10 Comment(2)
Hello Eugene, thank you for your input. If I understand correctly, you suggest to install our certificate on client machines. We would like to avoid doing that as installing the certificate for every customer and all their users is infeasible. Could this happen automatically during the ClickOnce installation, for example by using the CertMgr tool? Our goal is to make the installation as simple for the users as possible. A prompt to confirm the trust is okay, but it doesn't appear, instead the installation is aborted with an error message.Penney
Oh I would like to add to that that a colleague of mine added the certificate to his machine for testing to see if that would resolve the problem, but he still gets the same error message.Penney
P
1

We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.

Penney answered 27/2, 2015 at 16:22 Comment(0)
U
0

Try copying all the necessary files to the client computer then install. If you can avoid installing from the network drive you might be able to avoid this exception.

Uneventful answered 14/7, 2015 at 17:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.