How to sign ClickOnce manifests with Visual Studio

Reading Time: 4 minutes

When a program, script, or macro is downloaded, a popup window asking, “Are you sure you want to run this?” will appear during installation or execution. or “Do you want to let the next program affect this computer?” Code signing is being used in this popup. Code signing tools are crucial because they distinguish between legitimate software and malicious or rogue code.

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed.

 Your projects developed in Visual Studio with Visual Basics and Visual C# can be published and updated using ClickOnce. ClickOnce is a Microsoft technology used to deploy and update Windows desktop applications over the internet. It allows developers to publish their applications on a web server or network file share and make them available to users via a single click without any complex installation or configuration process.

While you publish your project using ClickOnce, you can sign ClickOnce manifests using a certificate. This will help prove the legitimacy of your application, and this process is called Code signing. Codesigning with ClickOnce provides several security features to ensure that the application and its updates are downloaded from a trusted source and that users are protected against potential security threats. It adds an extra layer of security to your application and can help increase user trust.

When you publish your project using ClickOnce without codesigning, such application when run by the user, a dialogue box is often prompted with a security warning.

But no such warnings are prompted when you Sign ClickOnce manifests with a code signing certificate.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

This solution provides a tool and certificate for signing ClickOnce manifests. You will have to install and configure the tool and follow the steps below to proceed.

1. Install and Configure the tool (SigningKSP)

2. From the command prompt, reach the directory where ECGetCert.exe is located.

   

3. Run the command: ECGetCert.exe evcodesigning Here, evcodesigning is the certificate name that we are using for the codesigning purpose.

   This command will save evcodesigning.pem (certificatename.pem) file in the same directory

   

4. Open certmgr.msc and navigate to Personal -> certificates. If there is no certificate folder, right-click on personal -> All Tasks -> Import

   

5. A Certificate import wizard Opens. Click on next; the store location here is, by default, the current user.

   

6. On the next page, browse for the certificate. It should be saved in the same directory where EGGetCert. Exe is located. From there, select evcodesigning.pem (certificatename.pem). If you can’t see the file select all files at the bottom instead of X.509 certificate. Once the certificate is selected, click next.

   

   

7. On the other page, ensure that “Place all the certificates in the following store” is selected. Under that, the Certificate store is set to Personal. Click on next and then Click on Finish. You’ll see a dialogue box saying the import was successful.

   

   

8. Once the certificate import is done, you need the thumbprint value of your certificate. Click on Personal -> Certificates -> and then the imported certificate. Navigate to “Details” and scroll down to thumbprint. You can copy the value.

   

   Return to the command prompt. Run the following command. Ensure that you place the Thumbprint of your certificate in your command.

   certutil -f -repairstore -csp “Encryption Consulting Key Storage Provider” -user “My” 79656a9ce126fd0d1bb33f4dc73dba308f58b3ac

   

   

9. Once the command runs, navigate to the project in Visual Studio that you want to publish with ClickOnce.

10. In the Solution Explorer, Right Click on your project and navigate to Publish. Click on it.

    

11. A new dialogue box opens. Select ClickOnce and click on Next.

    

12. On the next page, choose a publish location or leave the default bin\publish and click Next.

    

13. You can choose the Install Location as per your choice or leave the default. Click on Next.

    

14. Select your settings in the next tab as you like and click Next

    

15. In Sign manifests, check the box “Sign the ClickOnce manifests” and click on select a certificate from the store.

    

    A dialogue box opens with a certificate, which was initially imported. Click OK to proceed.

    

    You can now see the certificate details in Sign manifests

    

16. Click on next to choose your configuration and click on Finish.

17. You’ll see Publish profile creation progress and a green tick when successful

    

18. You can see the Publish Profile created.

    

We have successfully signed ClickOnce manifests with Visual Studio. Click on Publish to publish your project.

Conclusion

With its digital signature and other security features, Signing ClickOnce manifests enables developers to establish the level of trust users should have in an application. This can decrease the probability that harmful software will be executed on a user’s machine. With the rapid increase in viruses and malware on applications online, it’s necessary to take such measures to prevent any damage. It’s always better to be safe than sorry.

To summarize, incorporating code signing into software security is crucial to safeguard it against malware attacks and tampering. Encryption Consulting’s Code Sign Secure offers various advantages, including seamless integration with development workflows, robust authentication and encryption, and customizable pricing options. To learn more about how you could use Code Sign Secure visit: www.encryptionconsulting.com/code-signing-solution/ or contact us at: [email protected]