问题
I am working on deploying a ClickOnce Application build on .NET 4.5 Here are the facts:
- I have a valid Comodo Authenticode Certificate
- The certificate is installed in my local cert store
- The project properties for "Signing" tab show that the certificate should be used for signing the manifest (I'm not even yet trying to sign the Assemblies for .NET)
- The proper timestamp server URL is entered for comodo
- On the Publish tab, the settings are very typical:
- Publish to a UNC path
- Installation folder is a URL mapped to that path in IIS
However, no matter what I do, when I use the "Publish Now" button to actually publish the ClickOnce application, all of the file get published, but when I download the "Setup.exe", it ALWAYS says "Unknown Publisher".
Any ideas on what I'm doing wrong? I have been researching this for several weeks and I have read through enough to believe that I'm doing it "correctly", but I just must be missing some small checkbox or setting, or something of course.
Any help appreciated.
-- W.G.
回答1:
Far as I know the "Unknown Publisher" keys off the code-signing, which Visual Studio doesn't provide an interface for. Oh, it does have signing interfaces, but only for manifest signing and strong-name assembly signing. This other question mentions the three signings, too.
To get the "Unknown Publisher" replaced with your org name, you'll have to add a bit of XML to your .csproj or .vbproj file. Right before the closing </Project> tag, you'll need to call SignTool.exe, which I manually copied to my solution's main Bin folder (If you don't have it, it's part of the Windows SDK). Here's what mine looks like:
<!-- This section is used for code-signing the application. This should not be confused with manifest signing or with strong-name assembly signing, which can both be done from the Visual Studio interface. -->
<Target Name="SignOutput" AfterTargets="CoreCompile">
<PropertyGroup>
<TimestampServerUrl>http://timestamp.verisign.com/scripts/timstamp.dll</TimestampServerUrl>
<ApplicationDescription>A.Franklin's Awesome App</ApplicationDescription>
<SigningCertificateCriteria>/sha1 0c0ff5e29404b7d78q2517f487da0b1a0912c4da</SigningCertificateCriteria>
</PropertyGroup>
<ItemGroup>
<SignableFiles Include="$(ProjectDir)obj\$(ConfigurationName)\$(TargetName)$(TargetExt)" />
</ItemGroup>
<Exec Command=""$(ProjectDir)..\Bin\SignTool" sign $(SigningCertificateCriteria) /d "$(ApplicationDescription)" /t "$(TimestampServerUrl)" "%(SignableFiles.Identity)"" />
</Target>
To get the hash code (the "0c0ff5..." above) for my certificate, which I already had installed on my machine, I
- Ran certmgr.msc and opened Certificates – Current User > Personal > Certificates
- Double-clicked the certificate I wanted and clicked the Details tab
- Used Ctrl-C to copy the value for Thumbprint (which looked like "0c f0 f5..."), except for the first character. There’s an invisible character in this textbox that gets copied along with the first character, and it messes up your script later on. So manually type the first character (a "0" in this case), then paste the value from this dialog box. If you get the error, "Invalid SHA1 hash format: ?0c 0f f5..." in Visual Studio, that question mark means the invisible character is there.
- Manually type the first character, then paste the value from this dialog box. Delete all spaces, so that it looks like 0c0ff5..., and make the line look like the SigningCertificateCriteria code above.
You could use SignTool.exe manually too, but for me this setup runs it transparently during each compile.
回答2:
First you must publish to a website in IIS not a UNC path. Publish to the folder the site is pointing to.
Second import the certificate into the Trusted Root Certificate Authorities Folder on MMC console.
And then finally when signing the manifest choose Select From Store on the Signing Tab in Visual Studio. I got this to work with a Test Certificate.
I hope it helps.
Thanks
回答3:
It's not that complex.
1st, you need to just sign the manifest using your cert.
2nd, you need to install that cert to "Trusted Root Certification Authorities" store on your client PC, this you can do by checking your cert detail and then install following the wizard, ensure you choose the right store.
This step will change the unknown publisher to the name in your cert.(As the publisher is now in your trusted root CA, so it's no longer "unknown") but you will still have the prompt to asking for installation confirmation.
3rd, you can again install the cert to "Trusted Publisher" store on your client PC, then the publisher is trusted publisher, you will no longer get prompt, the installation will just happen.
Hope this will help someone still facing the issue.
来源:https://stackoverflow.com/questions/30132305/net-clickonce-signing-results-in-unknown-publisher