Reputation: 304
How to make MSBuild sign all files in a Clickonce application
I have an application (WPF) installed by Clickonce and now I need to sign it, so Windows can recognize my company as a trusted issuer. The following command line was used in my C.I. tool (parameters with diamonds <> are used only to exemplify the situation):
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /target:clean;build;publish /p:ApplicationVersion=<VERSION> /p:SignAssembly=true /p:GenerateManifests=true /p:SignManifests=true /p:AssemblyOriginatorKeyFile=<PFX_PATH> /p:ManifestCertificateThumbprint=<CERTIFICATE_ID> /property:Configuration=<CONFIGURATION>;PublishDir=<PUBLISH_DIR>;BootstrapperEnabled=true;PublishUrl=<PUBLISH_URL>;InstallUrl=<INSTALL_URL>;UpdateUrl=<UPDATE_URL> C:\hudson\slave\workspace\NIMBUS-NFE-NFEasy2\NFeasy2\NFeasy2.sln
The problem is: only the setup.exe is signed, and only with SHA-256 algorithm. Thus, when the user run my application, the issuer is not recognized. Also, when running with Windows XP, the setup will never run because the SO doesn't recognize the signature (it seems that WinXP needs SHA-1).
How can I setup my project or command line to sign all files with both SHA-1 and SHA-256 algorithms? Also, will this stop prompting user's permission every time the application is run? If not, is there a way to do so?
Thanks!
Upvotes: 4
Views: 2290
Answers (1)
Reputation: 304
After reading a lot of solutions through the Internet, I managed to write a batch file to do the full signing. Note that this works only with specific versions, and I had to put them in my Path in the following order:
C:\Program Files (x86)\Windows Kits\8.1\bin\x86;
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin;
The script is the following:
rem renaming the setup.exe because it will be treated separately
ren setup.exe setup._
rem removing the .DEPLOY extension, getting back the original one
for /r %%x in (*.deploy) do ren "%%x" *.
rem signing all files with my certificate
for /r %%x in (*.exe *.dll) do signtool.exe sign /fd sha1 /as /sha1 <MY_CERTIFICATE> "%%x"
for /r %%x in (*.exe *.dll) do signtool.exe sign /fd sha256 /as /sha1 <MY_CERTIFICATE> "%%x"
rem updating the manifest with the new signatures
for /r %%x in (*.manifest) do mage.exe -update "%%x"
rem signing the manifest file
for /r %%x in (*.manifest) do mage.exe -sign "%%x" -ch <MY_CERTIFICATE>
rem putting the .DEPLOY extension in all files renamed previously
for /r %%x in (*.exe *.dll *.config *.cer *.ttf *.ico *.xml *.p7b) do ren "%%x" *.*.deploy
rem getting back setup.exe
ren setup._ setup.exe
rem signing setup.exe file
signtool.exe sign /fd sha1 /as /sha1 <MY_CERTIFICATE> setup.exe
signtool.exe sign /fd sha256 /as /sha1 <MY_CERTIFICATE> setup.exe
rem updating MyApp.Application file
for /r %%x in (*.manifest) do mage.exe -update MyApp.Application -appm "%%x"
rem signing MyApp.Application file
mage.exe -sign MyApp.Application -ch <MY_CERTIFICATE>
rem updating the new signed file to the destiny folder
for /r %%x in (*.application) do xcopy MyApp.Application "%%x" /y
Upvotes: 4
Related Questions
- Why does the "Sign the ClickOnce manifests" checkbox keep defaulting to checked on build?
- How to sign ClickOnce application in Post Build Event?
- How to Sign ClickOnce with Sha256 Cert for .NET 4.0 like Visual Studio Update 3
- Sign file MSBuild with incremental build
- Signing a ClickOnce application with an AfterCompile target
- Sign executable within a clickonce application when publishing
- "File has a different computed hash than specified in manifest" error when signing the EXE
- Using MSBuild to sign ClickOnce or assembly results in error MSB3321
- How to not sign a ClickOnce manifest
- msbuild/clickonce publish files generated during the build