How to Sign ClickOnce with Sha256 Cert for .NET 4.

2019-03-25 20:09发布

问题:

I am trying to deploy an outlook add-in using a clickonce installer. I have a batch file that almost works, however, I get the error "xml signature is not valid" when trying to install on Windows XP. It is pretty well known that XP fails with SHA256 certificates example. It is also known that Update 3 for Visual Studio 2013 fixes the issue when you publish using Visual Studio interface. I am wondering how I can accomplish the same fix using signtool or mage on the command line. Here is my current batch file that works for everything except Windows XP:

:: Build and publish
msbuild /target:clean,publish /property:MapFileExtensions=false /property:Configuration="Release" /property:ApplicationVersion="1.0.0.0" /property:InstallUrl="https://example.com" /property:UpdateEnabled="true" /property:UpdateMode="Foreground" /property:UpdateInterval="0" /property:UpdateIntervalUnits="days" /property:PublisherName="Example" /property:ProductName="Example Outlook Add-In" /property:FriendlyName="Example Outlook Add-In" /property:LoadBehavior="3" /property:BootstrapperEnabled="true" /property:IsWebBootstrapper="true"

:: Sign the exe
signtool sign /fd SHA1 /f "certificate.pfx" "publish\setup.exe"

:: Sign the application manifest
mage -sign "publish\Application Files\Example_1_0_0_0\Example.dll.manifest" -CertFile "certificate.pfx"
mage -update "publish\Application Files\Example_1_0_0_0\Example.dll.manifest" -CertFile "certificate.pfx" -algorithm sha1RSA

:: Sign the deployment manifests (there are 2 locations)
mage -update "publish\Application Files\Example_1_0_0_0\Example.vsto" -appmanifest "publish\Application Files\Example_1_0_0_0\Example.dll.manifest" -CertFile "certificate.pfx" -algorithm sha1RSA
mage -update "publish\Example.vsto" -appmanifest "publish\Application Files\Example_1_0_0_0\Example.dll.manifest" -CertFile "certificate.pfx" -algorithm sha1RSA

I have tried many tweaks to this script and this is where i've gotten. Everything works just fine if I publish with the same certificate.pfx using the Visual Studio "Publish Now" button, but I would like to get it working on command line for automation.

回答1:

As user2404450 correctly wrote, the problem cannot be solved with Mage included in any VS 2013 Update. Microsoft has updated the API, but not the mage.exe tool. If you add the "-algorithm sha1RSA" parameter while calling mage.exe, you only specify what digest algorithm to use when generating hashes for your application resources.

To solve this, we have written a small tool that calls the correct API, see an example:

Microsoft.Build.Tasks.Deployment.ManifestUtilities.SecurityUtilities.SignFile(certThumbprint, timestampUrl, path, "v4.0");

You have to install VS 2013 Update 3 to get the 4th parameter working.



回答2:

I have figured out how to do it with just msbuild

I have Visual Studio 2013 with Update 3 installed. Loaded the certificates needed into the store using the project Properties > Signing tab, taking note of the <ManifestCertificateThumbprint> in the .csproj file for each certificate. Then you can use them on command line like this:

msbuild /target:publish /property:ManifestKeyFile="certificate.pfx" /property:ManifestCertificateThumbprint="CERTIFICATE THUMBPRINT"


回答3:

You cannot accompish this using mage. The reason is that mage is not updated to use the new API added in VS2013 Update 3.

However, it turns out the new API in VS2013 Update 3 are public so you can simply create a simple console app that uses this API to sign your code. Simply pass "3.5" or "4.0" as the last parameter (targetFrameworkVersion) and you're set. Also note that this method requires your certificate to be present in a certificate store.