“Manifest XML signature is not valid” on client machine but works fine on developer computer

Question

At work we had a ClickOnce application that, when the client would try to install, was throwing the exception:

• Exception reading manifest f

Answer 1

We had similar problem - we have a .NET 4.0 application, meant to work on machines with .NET 4.0 or higher. As our code signing certificate expired we purchased a new one and as Sha1 is going to be depricated, we received a Sha256 one. I should say that our build machine has .NET 4.5 installed, so the framework assemblies are all updated on that machine.

We noticed that the following error started to appear only on .NET 4.0 machines once we migrated to the new certificate:

* Activation of http://localhost/publish/Test.application resulted in exception. Following failure messages were detected:
    + Exception reading manifest from http://localhost/publish/Test.application: the manifest may not be valid or the file could not be opened.
    + Manifest XML signature is not valid.
    + SignatureDescription could not be created for the signature algorithm supplied.

After a little research fe found out this thread and some other, suggesting upgrading to .NET 4.5, but this is not working solution for us - we don't want to force our clients to update .NET framework (~20% are still using .NET 4.0). Here are the solutions we came up to:

• Sign the manifests on a machine that has only .NET 4.0 installed
• Sign with the following PowerShell script instead of using mage.exe:

function SignFile($filePath, $timeStampUri, $certThumbprint)
{
    #Add-Type System.Security

    $x509Store = New-Object -TypeName ([System.Security.Cryptography.X509Certificates.X509Store]) -ArgumentList ([System.Security.Cryptography.X509Certificates.StoreName]::My),([System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
    try
    {
        $x509Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
        $x509Certificate2Collection = $x509Store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindByThumbprint, $certThumbprint, $false);
        if ($x509Certificate2Collection.Count -eq 1)
        {
            $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]@($x509Certificate2Collection)[0]

            # This will force using of SHA1 instead of SHA256
            $cert.SignatureAlgorithm.FriendlyName = ""

            Add-Type -AssemblyName "Microsoft.Build.Tasks.v4.0"

            [Microsoft.Build.Tasks.Deployment.ManifestUtilities.SecurityUtilities]::SignFile($cert, $timeStampUri, $filePath)
        }
    }
    finally
    {
        $x509Store.Close();
    }
}

EDIT: I actually use this command-let to sign the manifest files: https://gist.github.com/nedyalkov/a563dd4fb04d21cb91dc

Hope this information will save time and effort to somebody!