How to Authenticode sign ClickOnce deployment with an EV SHA2 cert and avoid "Unknown Publisher" -


when signing clickonce deployment via visual studio's project "signing" settings page specified our sha2 (sha256) ev authenticode certificate , publish.

enter image description here

after publishing , attempting run bootstrapper (setup.exe) i'm presented "unknown publisher" in clickonce dialog.

enter image description here

the ev certificate in question valid , running on etoken hardware token safenet client tools communicating token. signing regular pe files (exe , dll) signtool produces valid assemblies , publisher known. this issue clickonce deployments. in addition, individual files of clickonce deployment valid because digital signatures tab of file properties dialog listed correctly bootstrapper (setup.exe) , assembly files suffixed ".deploy".

enter image description here

also, ".application" , ".manifest" files appropriately mutated (probably via mage visual studio) contain <publisheridentity> element along algorithm set correctly.

enter image description here

the signing machine running win10 , i've tried every permutation imagine:

  • with , without timestamp
  • with , without strong name signing
  • with , without online publishing
  • with , without https online publishing
  • with , without specific "update location" via publish page
  • with , without "publisher name" set via description in publish page
  • with every combination of manifest options:
    • exclude deployment provider url
    • block application being activated via url
    • use application manifest trust information
  • multiple machines on various versions of windows
  • manual manifest signing , assembly signing via mage , signtool (yes mageui well)
  • ensure cert not revoked certificate provider

there appears someone else experiencing this.

the reason occurs due a couple of factors:

  1. clickonce displays "unknown publisher" when using sha2 authenticode certificate.
  2. on january 1st 2016 windows deprecated sha1 authenticode signing /code signing. windows smartscreen technology displays "unknown publisher" when using sha1 authenticode certificate.

this in effect catch-22, need sha1 clickonce publisher verification , sha2 smartscreen. nice.

work certificate provider (hopefully true ca) sha1 and sha2 certificate. folks @ digicert great. must work ca in cases because if have own sha2 cert , work them sha1 cert (or vica-versa), auto-revoke existing certificates have them. in case of digicert able prevent automatic revocation when explained wanted try (dual signing).

after you've installed on ev token, configure visual studio sign clickonce manifests sha1 certificate. ideally you'll supply timestamp server in same dialog eventual expiration of certificate.

enter image description here

after publishing clickonce deployment locally , before distributing, dual sign clickonce bootstrapper (setup.exe) appending sha2 certificate.

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 yourcertthumbprinthash "x:\deployment\clickoncecert\setup.exe"

note, 1 way find cert thumbprint via certificates mmc snap-in. , yes, thumbprints supposed sha1 sha2 certs.

enter image description here

now, bootstapper shows both of certificates in digital signatures tab of file properties dialog.

enter image description here

when run setup.exe location specified "installation folder url" of publish page in visual studio, should see publisher trusted. it's important understand installation folder because if run app location should expect not trusted because bootstrapper make calls known installation folder retrieve application files.

enter image description here


-

Comments

Post a Comment

Popular posts from this blog

php - isset function not working properly -

the page unable see login form code written under isset function statement. have written code correctly , have executed many times , code written inside isset statement not works. here code:- <?php session_start(); echo "<p style=\"font-color: #ff0000;\"> catogoies </p>"; echo '<link href="var/www/html/sample.css" rel="stylesheet">'; require_once('../html/conn.php'); $query = "select * catogories"; mysqli_select_db($dbc, 'odit'); $retrieve = mysqli_query($dbc, $query); if(!$retrieve) { die(mysqli_error($query)); } while($row=mysqli_fetch_array($retrieve, mysql_assoc)){ echo "<p style=\"font-color: #ff0000;\">".'<a href="cats.php? catogory='.urldecode($row["name"]).'">'.$row["name"].'</a>'."</p>"; $_session['cat']=$row["name"]; } if(!($_session)) ...
Read more

javascript - Thinglink image not visible until browser resize -

Image
i trying repurpose pre-existing theme, includes drop down menu displays image. trying embed thinglink drop down menu's content section, not visible until resize browser window. here menu looks like: then when clicked, can see empty space image should show: then when browser resized, image appears: this code content of menu: <div class="ajax_accordion_content" style="display: none;"> <div class="report-detail"> <table border="0" cellpadding="0" cellspacing="0" width="100%" class="table_basic"> <tbody> <!-- thinglink image embedded --> <img style="max-width: 100%;" src="http://cdn.thinglink.me/api/image/832705713204625409/1024/10/scaletowidth#tl-832705713204625409;1043138249'" class="alwaysthinglink"/> <script async charset="utf-8" src="http://cdn.thinglink.me/jse/embed.j...
Read more

firebird - Error "invalid transaction handle (expecting explicit transaction start)" executing script from Delphi -

i'm developing update app delphi 10. i'm running windows 7 64x, firebird 2.5.1.26351 32x. execution order: checks current version(select statement firebird database) downloads update(via ftp) apply it(.exe files, , execute .sql) error code -901 pops out when try execute .sql files. know there incompatibility issue w7 64x , fdb 32x, but, can everything: backup , restore(gbak), db commands(all). tried fdb 64x instead, , not working. code: //components fdwaitcursor: tfdguixwaitcursor; fddriverlink: tfdphysfbdriverlink; fdconnection:tfdconnection; fdscript: tfdscript; function tthr_script.createcomponents:boolean; begin try fddriverlink := tfdphysfbdriverlink.create(fddriverlink); fdwaitcursor := tfdguixwaitcursor.create(fdwaitcursor); fdconnection := tfdconnection.create(fdconnection); fdconnection begin drivername := 'fb'; params.username := thrbanco.bduser; params.password := thrbanco.bdpass; params.database := ...
Read more