Using EV Certificate With ClickOnce

Asked 21/8, 2014 at 17:21 Answered 25/3, 2016 at 16:7

Solved visual-studio-2012 certificate clickonce signtool symantec

My company purchased an EV Certificate from Symantec to use for a software product we produce. Specifically it is called: Symantec Class 3 Extended Validation Code Signing CA – G2.

To develop and build this product we use Visual Studio 2013, and we use ClickOnce as the publish and installer mechanism. The problem we are having is that ClickOnce is unable to apply the EV Certificate using it’s built-in signing mechansim. ClickOnce can see the Certificate just fine, and allows us to select it with the “Select from Store…” button. It shows all of the correct information in the Certificate window. But when we Publish the following error is encountered:

“An error occurred while signing: Failed to sign bin\Release\app.publish\setup.exe. SignTool Error: An unexpected internal error has occurred.”

Note that we are able to use SignTool.exe to apply the EV Certificate from the command line, so the problem is not with that program.

Has anyone had experience with this combination of EV Certificate and ClickOnce? Is there a different EV Certificate that we should buy that works better with ClickOnce?

Illfounded answered 21/8, 2014 at 17:21 Comment(3)

I assume that you received the certificate in a hardware eToken. Are you using the SafeNet drivers to use it? – Earthwork 15/9, 2014 at 14:53

Yes, we have a hardware eToken and are using the SafeNet drivers. We know those are working because we can bind the EV certificate using SignTool.exe and Mage.exe without any problem. – Illfounded 15/9, 2014 at 20:32

SafeNet was also working with signtool and mage without problem apart from the ClickOnce certifiactes signing, but changing the register value seems to have solved it. – Earthwork 16/9, 2014 at 8:26

I had the exact same problem a few days ago and the Digicert after-sales service has been able to to solve it. Try to check the value of this register key (in regedit):

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Cryptography/Providers/SafeNet Smart Card Key Storage Provider/Aliases

The value should be "eToken Base Cryptographic Provider" and not "eToken Base Cryctographic Provider" ('p' instead of 'c').

As said in the comments, you'll have to reboot after that change.

Hope it helps.

Earthwork answered 16/9, 2014 at 7:27 Comment(3)

Excellent. Thanks Max. I corrected the registry entry on my machine and as nearly as I can tell it fixed the issue. I'm not 100% sure because so many other things have changed in my environment that I can't now recreate the original failure. But if this fixed the issue for you, I believe it would fix it in my case as well. At least I'm confident enough to mark this as the answer. Thanks for your valuable input. – Illfounded 18/9, 2014 at 17:37

Great answer. FYI I had to reboot my machine after that change (I suppose I could have killed/reset the various SafeNet Exes running in the background too). – Birthroot 9/1, 2015 at 13:44

This answer saved my life! – Regularly 27/4, 2015 at 21:9

Can't comment (not enough rep). Spent a LONG time getting to this page so I wanted to add the following info for anyone who comes here after.

The full error message (for the purpose of search engines finding this site) from signtool is:

SignTool Error: An unexpected internal error has occurred

Error: SignerSign() failed." (-1073741275/0xc0000225)

This only happens (for us) when signing sha256. sha1 worked fine.

@Max's answer (typo in the registry key is correct. This is a bug in the SafeNet Authentication Client version 8.2 installer. I changed the registry key, rebooted, and everything started working.

It has been fixed as of the 9.0 version (which is for Win8+).

Bickering answered 25/3, 2016 at 16:7 Comment(0)

Recommended topics

Hot tags