Click here to Skip to main content
8,869,237 members and growing!
  
Email Password   Lost password?
Search within:



add
Add to your CodeProject bookmarks
Print Article
Site map
 » Languages » C# » General
Licence CPOL
First Posted 16 Oct 2009
Views 10,961
Bookmarked 5 times

ClickOnce Manifest Signing

By | 16 Oct 2009 | Technical Blog
ClickOnce Manifest Signing
ArticleBrowse CodeStatsRevisions (5)Alternatives
  Discuss
Discuss this article
  
A Technical Blog article. View original blog here.[^]

Introducing Certification

When you get a Software Publisher Certificate (SPC) from a third party CA (say Verisign) that is authorized by Microsoft to issue certificates, you actually get two files: a pvk and spc or cer file.

  • .pvk file which contains the private key information.
  • .spc or .cer file contains public key information.

In my discussion later, I'll consider having pvk and spc files for signing clickonce application.

To use this certificate, you need to generate a Personal Information Exchange file (pfx). You can generate a pfx file from pvk and spc. For detailed information on how to generate pfx file, follow here.

Visual Studio Support for Clickonce Manifest signing

Now I'll consider that you have a pfx file and you are ready to sign the clickonce manifest. To sign the clickonce manifest, open the properties window of the project and then select signing tab. Then select the “Sign the ClickOnce manifests” check box and you'll be prompted for selecting the pfx file. Open the pfx file and you'll be prompted for password. After putting your password, set the timestamp server URL to http://timestamp.verisign.com/scripts/timstamp.dll. The following figure shows the process in a whole.

image

Figure: Sign clickonce manifests.

Separate Signing from Development

You are done! But this is not why I'm writing this post. The problem is in this process that if you have automated build management system (say using NAnt) then during build you'll be prompted for password and you don't want this. You actually want to separate the signing from development. You only need to bother about signing when you deploy on production server. If put directly select pfx file from Visual Studio then every developer will be prompted for the password during build (at least once, then VS will cache it). So you need some way to sign the Clickonce manifest, say in post build event. But Publish doesn't have any event. So you can't write post build event in Visual Studio project. One way is to write batch script and run the script after production deployment build.

ClickOnce Manifest Internals

But before diving deep into the signing procedure, let’s discuss about how actually ClickOnce manifest works. If you publish your clickonce app in E:\Clickonce folder, then the root folder will contain a file named YOURAPPNAME.applicaiton. Then there will be a folder “Application Files\YOURAPPNAME_VERSION” and there’ll be several files.

image

Figure: ClickOnce Deployment Folder Structure

Clickone has two types of manifests: application manifest and deployment manifest. Deployment manifest has one of the three extensions:

  1. .application for executable application
  2. .vsto for office application
  3. .xbap for browser hosted WPF application

Application manifest has only one extension and that is .manifest.

Now if you want to manually sign clickonce manifest, then you need to sign both application and deployment manifests. Clickonce manifests contain hashes of all/related files. The following figure shows how application and deployment manifest share hash value.

image

Figure: Application and Deployment manifest hash value calculation.

Sign Application and Deployment Manifests

So if you sign clickonce manifest, then you need to sign the application manifest first as deployment manifest depends on application manifest file. So let's start with the signing process:

  1. Sign the application manifest:

    If your application manifest has a .manifest extension and you'll get the application manifest file in “Application Files\Application_VERSION” folder. The following command signs a manifest file with pfx.

    mage -update MyApplicaiton.exe.manifest 
-certfile pfxfile.pfx -Password pfxfilepassword

    The mage command will be available if you have a .NET SDK installed.

  2. Sign the deployment manifest: 
    mage -update MyAppName.application -appmanifest MYAppName.exe.manifest 
-certfile pfxfile.pfx -Password pfxFilePassword

So you are done. But there are a few points to remember. If your application’s DLLs are renamed with deploy, then you need to remove this option or the sign will not work. You can remove the .deploy option from Visual Studio property window > Publish Tab > Options.

image

Figure: Remove .deploy extension from Visual Studio.

Now you can write a batch file which you can run after build and the batch file will sign the clickonce manifests and your manifest signing is totally different from your development.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Sohel_Rana

Web Developer

Bangladesh Bangladesh

Member

 Sohel Rana is currently working as Software Engineer in a software firm in Dhaka, Bangladesh. He has years of expertise in working with products like SharePoint, Ektron, DotNetNuke. He's main expertise is in the area of SharePoint.
 
He likes to learn new technologies. He likes to listen music in his spare time.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board. (secure sign-in)
 
Search this forum  
 FAQ
    Noise  Layout  Per page   
  Refresh 
-- There are no messages in this forum --
Permalink | Advertise | Privacy | Mobile
Web04 | 2.5.120517.1 | Last Updated 16 Oct 2009
Article Copyright 2009 by Sohel_Rana
Everything else Copyright © CodeProject, 1999-2012
Terms of Use
Layout: fixed | fluid

The Code Project Insider. Free each morning.
How to build, sign, and deploy a ClickOnce application to be delivered over the internet without using the IDE
Deploying MFC applications via ClickOnce
ClickOnce Licensing HTTPHandler
WSE 3 Deployment: MSI and ClickOnce
TFS2010 Team Build with ClickOnce Applications
Make ClickOnce Work With ASP.NET Forms Authentication
Deploying CAB Files Using ClickOnce Deployment
Different Methods of ClickOnce Deployment
LocBaml + MsBuild + ClickOnce Deployment
Publish an application using ClickOnce, without VS 2005
Manifest File Injection
Different Methods of ClickOnce Deployment
ClickOnce Deployment Visual Studio 2005
Launching a ClickOnce Application from Another ClickOnce Application
ClickOnce JavaScript
ClickOnce Button Server Control
.NET Manifest Resources
Running a ClickOnce Application from Another Program
Sign Code
Automate the Manifest Injection Process