How to use obfuscation for ClickOnce?

Asked 5/8, 2010 at 15:16 Answered 15/12, 2015 at 13:3

Solved .net clickonce obfuscation dotfuscator

If one will release a ClickOnce version, how can it be obfuscated by Dotfuscator?

Hyson answered 5/8, 2010 at 15:16 Comment(0)

You can use the commercial version of Dotfuscator to automatically obfuscate a ClickOnce application by adding the deployment manifest ("foo.application") as an input to your Dotfuscator project. Dotfuscator will allow you to add any necessary exclusions to the assemblies contained in the ClickOnce application and will create updated deployment and application manifests containing the obfuscated assemblies.

The free version of Dotfuscator included in Visual Studio (including Visual Studio 2010) does not have the feature to automatically obfuscate ClickOnce applications. In order to get a functioning obfuscated ClickOnce application you will need to recreate or update the ClickOnce manifests since obfuscation changes the signatures of the assemblies.

You can use mage.exe or mageui.exe (included in the Windows/.NET SDK) to update the ClickOnce manifests. If you are going to use mage.exe you need to be aware that you cannot use the "Use .deploy file extension" option in your ClickOnce options as it does not recognize it.

Assuming your ClickOnce application is named "Foo" and is at version 1.0.0.0 the process you will want to follow is:

Publish your ClickOnce application to a directory on disk
Run Dotfuscator CE and add the assemblies you want to be obfuscated from the bin directory of your project
Obfuscate the assemblies. The obfuscated assemblies will be put into a subdirectory named "Dotfuscated" by default.
Resign your obfuscated assemblies with sn.exe (only if you initially strong named them)
Copy the obfuscated assemblies over top of the ones in the ClickOnce publish\Application Files\Foo_1_0_0_0 directory
Update the application manifest and resign it:

mage.exe -Update "Application Files\Foo_1_0_0_0\Foo.exe.manifest" -CertFile "c:\Foo\foo.pfx" -Password password
Update the deployment manifest and resign it:

mage.exe -Update Foo.application -AppManifest "Application Files\Foo_1_0_0_0\Foo.exe.manifest" -CertFile "c:\Foo\foo.pfx" -Password password

You now have a valid application and deployment manifest using obfuscated assemblies. You can also use the MageUI.exe tool to accomplish the same tasks (and it knows how to handle assemblies with the .deploy extension) but it is not as easy to automate.

Latria answered 9/8, 2010 at 18:44 Comment(5)

Hi @Joe, can you explain where the certificate pfx file come from? – Outgo 9/6, 2011 at 18:28

@Outgo if you are shipping software to external customers then it normally comes from a certificate vendor (Comodo, Thawte, etc). For internal applications I've used certs signed by a domain controller or just self signed certs from makecert.exe – Latria 16/6, 2011 at 11:12

Hi @JoeKuemerle After doing this all My Application Stopped Working on the Client Machine. It is Checking for update, downloading it and running it. then stopped working. I checked the Event Viewer and Found 1.0.0.0 4f29010f c d System.NullReferenceException C:\Users\interbiz\AppData\Local\Temp\WER22D1.tmp.WERInternalMetadata.xml – Henka 1/2, 2012 at 9:36

@Henka Sounds like an obfuscation issue and not a ClickOnce problem. If you are using late binding, dynamic invocation of methods with string literals, serialization or some types of reflection renaming of some methods in your application can cause it to crash. You should investigate the stack trace and determine if you need to exclude some symbols from being renamed. – Latria 6/2, 2012 at 21:57

I don't have a .application file. I've got an xbap and an exe.. one at the same level as the "Application Files" directory and one in the Foo_1_0_0_0 level. Would the xbap at the higher level be equivalent to your .application? It tells me it was successfully signed, but I still get manifest errors trying to run the xbap. – Henriettahenriette 4/9, 2012 at 18:59

I have a solution similar to Joe Kuemerle's, but before the publish process. This works with publish in Visual Studio and MSBuild command line.

Add the BeforePublish target to the project file.

<ItemGroup>
    <ClickOnceFiles Include="bin\Release\ClickOnce.*"/>
</ItemGroup>
<Target Name="BeforePublish">
    <Exec Command="{path to dotfuscator}\dotfuscator.exe Dotfuscator.xml" />
    <Exec Command="mage.exe -u bin\Release\ClickOnce.exe.manifest" />
    <Exec Command="mage.exe -u bin\Release\ClickOnce.application -AppManifest bin\Release\ClickOnce.exe.manifest" />
    <Copy SourceFiles="@(ClickOnceFiles)" DestinationFolder="obj\Release" OverwriteReadOnlyFiles="True" />
</Target>

The ClickOnce files are ClickOnce.application, ClickOnce.exe, and ClickOnce.exe.manifest. My dotfuscator.xml is in the same folder with the project file. The key is the last command, copy the ClickOnce files to the obj folder.

Halfbound answered 8/5, 2011 at 7:33 Comment(1)

Umm, which part of the above regenerates the manifest based on the number of files? After all, I may have X files before obfuscation but only one file after obfuscation (not counting the manifest & .vsto files, of course). – Johppah 26/1, 2012 at 18:17

Yes, these are compatible technologies. ClickOnce simply focuses on the deployment of an application and its associated binaries to a target machine. Dotfuscator offuscates the DLL and EXE files. They will work together so long as you run Dotfuscator before publishing the application.

Epeirogeny answered 5/8, 2010 at 15:30 Comment(2)

But, in VS2010, if you 'publish' the clickonce, there are no dll/exe. How to 'run Dotfuscator before publishing the application'. – Hyson 6/8, 2010 at 0:43

Add, 'run Dotfuscator before publishing the application',how to publish? – Hyson 6/8, 2010 at 1:7

I don't know whether this is only possible in later versions of Visual Studio but for me it works perfectly:

Build the executable in Release mode
Start the exe-modificator of your choice and modify the file at obj/Release/<filename>.exe (notice: not bin/ but obj/)
Push the Publish Now button of Visual Studio which assumes the last build were up-to-date
Profit :D

Audly answered 20/8, 2012 at 11:8 Comment(1)

Publish now always builds for me, so I made a Post-build task but it still didn't work, original .exe is still in the publish location instead of the obfuscated one – Helterskelter 15/5, 2019 at 15:29

If you are using VS2010, the Dotfuscator that comes with it will obfuscate the files and then re-sign the manifests for you. [Edit -- this is not true unless you buy the full version; it works just like VS2008.]

If you are using VS2008, you will need to publish, then obfuscate the files, and then re-sign the manifests with Mage or MageUI.

Edson answered 5/8, 2010 at 20:56 Comment(2)

But, in VS2010, if you 'publish' the clickonce, there are no dll/exe. How to 'run Dotfuscator before publishing the application'. – Hyson 6/8, 2010 at 0:43

See the directions above. Thanks to the Preemptive guys who posted the answer after I asked them for info on twitter. :-) – Edson 13/8, 2010 at 9:14

The deepsea obfuscator works with clickonce

Ruthenic answered 13/2, 2014 at 11:52 Comment(0)

The Eziriz .NET Reactor has an excellent ClickOnce integration.

Ruthenic answered 15/12, 2015 at 13:3 Comment(0)

-1

I got it from an answer to forum post How to deal with ClickOnce.

Hyson answered 11/8, 2010 at 0:23 Comment(0)

-1

see microsoft onling document:Walkthrough: Manually Deploying a ClickOnce Application

Dellinger answered 10/4, 2014 at 8:2 Comment(0)

Recommended topics

Hot tags