How can I make update version for application which was signed with certificate now expired?
- If I change expired code signing certificate to new one and publish updated application, client will fail to launch. And code signing fails if I try to use expired certificate. How can I make update version for application signed with old certificate?
回答
So, I'm not sure exactly where the ClickOnce runtime team is on this issue, I know we've had a few discussions about it. I've sent mail to the team to see where they are. We do appreciate that this is a serious issue.
I'm sure you can also appreciate the challenge of this issue as well. I'm not a certificate expert, but I'm pretty sure the technical relationships between XML Digital Signature content, 1-Year expiring certificates, and signing with expired certificates make this difficult to solve.
I'm posting because we do have a solution available for people using the "temporary" certificates created by Visual Studio. If you published using one of these certificates (as I did with Bootstrapper Manifest Generator), we have a small utility that can read in the original certificate and output a new certificate with the same info (private key I think) and a 5-year expiration. You can then sign your update and it will work. As I understand it, this utility will NOT work on certificates from Verisign and Thawte and others.
Of course the Visual Studio certificates are generally not as good as the commercial certificates because they don't work quite as well in certain scenarios and you can't get rid of some of the red x's at install. But, I thought for a few people running into this using the VS certificates could get some relief.
The KB article for this issue is at: http://support.microsoft.com/?kbid=925521 YAThe utility has not yet been posted yet. If we can get it posted, it will be at this link. Another option is to call Microsoft Customer Support Servies. When you talk to CSS, tell them they can contact me and I'll help get it to/through them.
I hope this helps!
すべての返信
Hi,
If your certificate has expired you need to renew the certificate from Certificate authority like Verisign or say your company has a Certificate server. The new certifcate must have the same public/private key pair as the original certificate which was expired.
Alternatively you could continue signing with the expired ceritifcate but the ClickOnce Trust manager prompt will always display Unknow Publisher as the certificate has expired.
If you sign with a new certificate your application has a different identity i.e. it is a different app from the original one and cannot be updated from the Start menu shortcut.
Thanks,
SameerIf your certificate has expired you need to renew the certificate from Certificate authority like Verisign or say your company has a Certificate server. The new certifcate must have the same public/private key pair as the original certificate which was expired.
Is this even possible when using a commercial CA like Verisign? I've renewed Verisign code signing certificates many times and the process has always involved generating a new key pair. I don't know how to renew a certificate using a pre-existing key pair.
- We asked Verisign whether it’s possible to renew certificate keeping key pair, and their answer was “It's impossible.”
What is the Microsoft’s recommended way to update ClickOnce application after certificate renewal?
* Sign with old certificate.
* Make user reinstall application.
* Other. I'm member of company "aoky" is belonging to and I arranged new certification.
So, I investigate properties of old and new certifications.
Then, "OU" option of "Subject" property is different.I guess this is the cause of failuer.
But I'm not so good at code signing architecture, so I can't make sure that
if make no change in this property then exchange of key will be success.Please give me some comment about sureness.
# Please forgive my poor English , I'm not native...
Sameer Murudkar - MSFT wrote: Hi,
If your certificate has expired you need to renew the certificate from Certificate authority like Verisign or say your company has a Certificate server. The new certifcate must have the same public/private key pair as the original certificate which was expired.
Alternatively you could continue signing with the expired ceritifcate but the ClickOnce Trust manager prompt will always display Unknow Publisher as the certificate has expired.
If you sign with a new certificate your application has a different identity i.e. it is a different app from the original one and cannot be updated from the Start menu shortcut.
Thanks,
SameerI am having the same issue and I cannot believe this is how it works. We recently renewed our certificate through thawte which forces you to use a new private key with the renewed certificate which apparently Verisign also does so if the industry standard is to force new private keys with a certificate renewal then how can clickonce be of any use, if every year or two you your installed client base has to uninstall and re-install your application????
If there is a way for thawte to give us a renewed certificate using our original private key, please, please tell me....
I have confirmed with Thawte that it is impossible to renew your certificate using the same key. They said it is an "industry stanfdard" to always issue a new key when renewing your certificate. This means every ClickOnce application out there who has signed using a commercial CA will need to be uninstalled and reinstalled if a renewed certificate is used.
This is a huge blunder in the architecture. This basically makes ClickOnce unusable unless you are ok with making your clients install from scratch every so often when your certificate expires...
Anyone from MS have any answers?
I can verify that this is a problem with Verisign certificates too.
I just renewed mine, updated my software, and found out it will no longer work unless I uninstall the old version first and then install my new version.
This is a unbelievable oversight on Microsoft's part if there is no fix for this. How can they promote the Clickonce technology, encourage people to sign their code, and tell them about all the benefits of using this technology when it only works for the length of the original certificate life?
Can someone from Microsoft please reply to this on a fix or a workaround?
I have less than 45 days until my original certificate expires and the complaints start pouring in.
If anyone else is having this same problem, please report and comment about it at the following link as this will become a major issue for people whose code signing certificates are expiring over the next few months. If you have this issue and go to the link, hopefully, they will have a fix or a workaround by the time you go there. Nothing yet.
https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=207513
- Same problem for us, except we just updated our server databases, updated our web methods, published the new version of our product, and Booooom.... Crash and burn! This should be Microsofts #1 priority NOW, because as of monday, everyone of our customers will have to uninstall and re-install because of this. We can't avoid that, too short notice, but we certainly won't trust clickonce anymore unless this sees a speedy fix.
Unbelievable blunder from MSFT. So, I'm not sure exactly where the ClickOnce runtime team is on this issue, I know we've had a few discussions about it. I've sent mail to the team to see where they are. We do appreciate that this is a serious issue.
I'm sure you can also appreciate the challenge of this issue as well. I'm not a certificate expert, but I'm pretty sure the technical relationships between XML Digital Signature content, 1-Year expiring certificates, and signing with expired certificates make this difficult to solve.
I'm posting because we do have a solution available for people using the "temporary" certificates created by Visual Studio. If you published using one of these certificates (as I did with Bootstrapper Manifest Generator), we have a small utility that can read in the original certificate and output a new certificate with the same info (private key I think) and a 5-year expiration. You can then sign your update and it will work. As I understand it, this utility will NOT work on certificates from Verisign and Thawte and others.
Of course the Visual Studio certificates are generally not as good as the commercial certificates because they don't work quite as well in certain scenarios and you can't get rid of some of the red x's at install. But, I thought for a few people running into this using the VS certificates could get some relief.
The KB article for this issue is at: http://support.microsoft.com/?kbid=925521 YAThe utility has not yet been posted yet. If we can get it posted, it will be at this link. Another option is to call Microsoft Customer Support Servies. When you talk to CSS, tell them they can contact me and I'll help get it to/through them.
I hope this helps!
Hi David,
I'm running into the same problem and I'd like to try the utility you mentioned to renew my test certificate that generate from VS 2005. I can't found it in the link you posted. Would you let me know where I get can it?
Appreciate for your help.
Thomas
Call Microsoft Customer Support Services.
- Hi David, I called MS support and got a copy of your utility. It works! Thanks.
- I'm so glad we could help.
Hello,
I thought I'd provide some feedback for those of you who are buying code signing ID's from Verisign and others to make your certificates.I have received a response from Microsoft Tech. Support on this. They agree that this is a major and serious issue and are working on a solution, but due to the complex nature of it, don't expect a fix until VS2008.
In the meantime, from my experience with this, you have two options: Have your customers uninstall the old version and reinstall the new version manually or set the minimum required version of your application to your latest one with the new certificate.
I have tried both out and either works, it just comes down to which one causes you less pain. I'll try to explain what we did for both options to give you a better understanding.
Option 1: At first, we were strongly against this option, but now it is what we settled on. The workaround is pretty straightforward, you go under add or remove programs, uninstall your old version and then go to the web and install the latest version. Yes, I know this defeats the purpose of Clickonce, but at this point there are no better solutions for us. To minimize the damage, we purchased a new 3-year digital ID to hopefully take us through to the impending fix in VS2008. We then made a new version of the software with the OLD certificate (it wasn't set to expire for a month yet) and included an alert message in it giving our customers a set date this version of the software will be incompatible to the new software. After this date, they will have to uninstall their current version and go to the web to install the new version. We also added a troubleshooting page to our website documenting the problems an uninformed customer would see when trying to launch the old software after the new software is available. The new software version will have a 3-year life of updates before we run into this issue again.
Option 2: This option could work for you depending on how creative you can be or if it is ok to have 2 versions of your software installed on the client machine. We weren't creative enough to make it practical for us. On the Clickonce Publish page, you have an "updates" button. If you click this button, you can check an option and set the minimum required version for this application. If you set this version to an older version than the one with your new digital certificate, your application will fail to launch with a "Cannot Start Application" failure message. If you set this minimum version to your new version with the new certificate, your new software will install and run without issue. I've tried both installing from online and running from the previous link on my computer and both will install it & run. The drawback is you now have 2 different versions installed on your machine. We saw this as a greater potential headache than option 1, so we choose the first.
I hope this is able to help anyone who is running into this problem.
MarcVery silly question ,but I'll ask in an effort to save some phone jockeying.
What is their number/which one to use?
This is the exact problem we have, we use an internal distribution with the Temporary key, uninstalling and reinstalling it for all the clients isn't an option....we can fudge it by setting the computer building the deployment back to when the pfx key was valid, but thats kind of a pain.
David Guyer MSFT wrote: So, I'm not sure exactly where the ClickOnce runtime team is on this issue, I know we've had a few discussions about it. I've sent mail to the team to see where they are. We do appreciate that this is a serious issue.
I'm sure you can also appreciate the challenge of this issue as well. I'm not a certificate expert, but I'm pretty sure the technical relationships between XML Digital Signature content, 1-Year expiring certificates, and signing with expired certificates make this difficult to solve.
I'm posting because we do have a solution available for people using the "temporary" certificates created by Visual Studio. If you published using one of these certificates (as I did with Bootstrapper Manifest Generator), we have a small utility that can read in the original certificate and output a new certificate with the same info (private key I think) and a 5-year expiration. You can then sign your update and it will work. As I understand it, this utility will NOT work on certificates from Verisign and Thawte and others.
Of course the Visual Studio certificates are generally not as good as the commercial certificates because they don't work quite as well in certain scenarios and you can't get rid of some of the red x's at install. But, I thought for a few people running into this using the VS certificates could get some relief.
The KB article for this issue is at: http://support.microsoft.com/?kbid=925521 YAThe utility has not yet been posted yet. If we can get it posted, it will be at this link. Another option is to call Microsoft Customer Support Servies. When you talk to CSS, tell them they can contact me and I'll help get it to/through them.
I hope this helps!
Hi chan
can I get a copy of your utility that you got from MS support to signe expired certificate.
thanks
my email is kaptel@parkwater.com
Hi all
Having issued an update to our application, it transpires that we too have the same issue.
Microsoft CSS weren't in the slightest bit helpful, and were supposed to be calling me back "within 10 minutes" - that was over an hour and a half ago :-(
I currently have 120 users unable to use our application because of this issue - does anybody know where I can get hold of this hotfix urgently?
It's not a practical solution for us to uninstall & reinstall the software on each users machine, but at the moment that's the only fallback position I can see. It would be maddening if I had to mobilise our IT staff to do this when there's a hotfix "available".
If anyone can offer any assistance, please let me know asap!
ThanksNick
I would also appreciate it if someone would be kind enough to send me a copy of that utility. We have the exact problem, we've published an application using a temporary key generated by VS2005.
The address you can send it to is jasondmatthews@gmail.com
Any assistance would be greatly appreciated.
Thank you,
Jason
Hello Nick,
I'll do a little information exchange with you. Can you tell me what number you called for MS CSS? I bounce around the websites but am not real sure who I'd call for this particular issue.
I don't know if this will work for you, but in our case we did a bit of rigging until we can get this fix for the Temporary Key. When publishing we set the compiling computers date/time back to a time when the key was valid. This will allow it to deploy. We hit some weirdness because of the date time switch, but were able to overcome those. But all in all we were able to release new versions of the software without it being seen as a new deployment.
Hope that helps.
Jason
Hi Jason
Thanks for your reply!
I'm in the UK, and call 0870 60 10 100 as per http://support.microsoft.com/contactus/?ws=support
We came across (and used) your suggested date fix whilst waiting for MS to come back to us, however I'd consider this an "interim" solution, as I don't want our dev team to have to reset the date each time we want to issue an update!
MS eventually got back to me and tried to fob me off with the "we'll need to create a hotfix, please register (and pay for) a support request.
When I pointed out that an MS bod had confirmed on an MS forum that a hotfix exists, they went away to investigate again.
Someone then called me back and delivered the line: "this behaviour is by design". When I asked what behaviour exactly, is by design there was more umming and arring.
Eventually I've spoken to someone who claims to have left voice & emails for the MS chap who posted regarding the availability of a hotfix, and will get back to me when they get a response.
I have to say, having spent the last fifteen or so years working with MS technology on a daily basis for both independent software houses and "gold" partners, this is the first time I've had to call MS support for anything. Unfortunately, I'm not too impressed right now!
If anybody has had any more success, please let me know!
Thanks
Nick
Quick update:
MS have finally gotten back to me and sent me the c source code for the utility which fixes the problem.
I guess this is actually MORE than I was expecting - our dev team will compile & apply the fix - if there are any problems I'll post again!
Thanks again Jason for your response!
N
- I'm glad this utility is helping those who are using self-signed certificates. But I want to emphasize to anyone from Microsoft who is reading this thread that this is not a general solution. Most of us creating commercial applications have to use a certificate issued by a generally recognized, 3rd party certificate authority like Verisign. We need a solution that works with these certificates or else much of the value of ClickOnce will be lost.
You are absolutely right, and that problem is well understood by the ClickOnce team at Microsoft. There have been some good discussions on how to get to a good general solution... but we can't yes promise we'll be able to fix it in the next release. Keep an eye out for the beta announcement (which might be sometime next year) and we'll be able to talk more about what's in the product and what's not.
Good to hear Nick, I was put on hold a bunch of times so I'm still waiting to open a ticket.
I definitely agree with everyone that
1) there needs to be a permanent fix that will address all keys not just the temporary keys
2) what I described is NOT a long term solution, it was just a snippet to help those like me who had to get a deployment out quickly without going to every single client (in my case users).
Is there any way I could get a copy of that source code Nick? Or did MS say its for your eyes only? I'd appreciate it greatly. If its not cool I'll go back to the phone.
As per a previous message my address is jasondmatthews@gmail.com (if you'd like another address, you can e-mail me there and I'll give you a non-free account).
Thanks,
Jason
- Any chance you could post it on here or somewhere else, to help us all out. Some of us are not in the USA, and find phones old technology :-) and alot more effort than clicking a link to download a program that will make the problem go away.
- So, is there any word from the ClickOnce team on this? Will it be fixed in SP1?
Okay, I am pleased to announce that the workaround I referred to is available at the KB site... you just need to have VC++ installed, and you should be able to compile the code sample in the article and run it on your cert.
http://support.microsoft.com/Default.aspx?kbid=925521
To answer another question: this is not going to be fixed in VS 2005 SP1, but a permanent fix is being worked on. There's no promises at this time when, or if, we'll be able to release it, but be assured, we understand the pain and are working on it.
It is a blunder from MSFT not to know how the comercial certificate authorities actually work. However, the real problem is with Verisign and Thawte. This is not a problem only for ClickOnce.
You often want to use the certificate as something that identifies the source. Having this identifier changed once a year is a pain! Customers of ours use certificates to enable ActiveX controls that we have signed and this also plays an important role in .NET access control. The digital certificate is a signature that identifies our company and we do not want to have a new signature each year.
Another example is signed installation programs and User Account Patching. For this to work we need to be able to use the same certificate and we need to be able to issue patches also one year later!
Are there any other certificate authorities than Verisign and Thawte that can issue code signing certificates and that perhaps can renew them?
/Thomas
Sameer Murudkar - MSFT wrote: If your certificate has expired you need to renew the certificate from Certificate authority like Verisign or say your company has a Certificate server. The new certifcate must have the same public/private key pair as the original certificate which was expired. I am not quite sure how certificates are compared. Can I use a certificate with the same private/public keys and CN, but issued by another authority?
- Hi All,
I found this thread recently when I ran into this issue. I've come up with my own work-around (we're using a Thawte certificate) that involves updating the deployed app with a version that uninstalls itself and reinstalls from a new location. The new location is signed with the renewed certificate.
See this for more details: http://www.jamesharte.com/blog/?p=11
-Jim - Can anyone comment on which is the better solution here? The MS C++ solution or the JamesHarte solution above? James' solution seems simpler and less of a "hack". Comments?
One option is perhaps to get a new certificate with the same public key. Verisign and Thawte does not offer this service, but GlobalSign does. They are not as well known as Verisign and Thawte, but they have been around for some time and their customer support, unlike Verisign, can actually answer technical questions.
/Thomas
- Is there any way to get this to work in VB2005 ??
To close off this post, there is a method provided by GlobalSign to address all needs. As Thomas illustrated in the previous post, GlobalSign offers the ability to request a certifiacte via a 'CSR' process rather than only forcing generation of new private keys. A certificate (expired or not) from any previous CA which has a private key in the posession of the user can be used to create a new CSR with tools such as OpenSSL. You simply extract the private key from the certifiacte and create a new CSR. The new CSR can then be submitted to GlobalSign and a certificate will be returned which has the same private key as the previous certificate and therefore no errors. Please submit a CSR in the box on the right hand side on this link. https://www.globalsign.net/digital_certificate/objectsign/requestcert.cfm?FieldYear=2&cur=us
I have specifically not provided details on how to extract the private key as I would be unable to cover the needs of many alternative security environments. There are many places available on the net to look at how you should do this. To create a CSR use something like this:-
openssl req -new -subj /C=BE/emailAddress=Your@Yourdomain.com/O=YourOrganisation/CN=YourDomain.com -key privatekey.key -out resulting.csr
Good luck!
David Guyer MSFT wrote: You are absolutely right, and that problem is well understood by the ClickOnce team at Microsoft. There have been some good discussions on how to get to a good general solution... but we can't yes promise we'll be able to fix it in the next release. Keep an eye out for the beta announcement (which might be sometime next year) and we'll be able to talk more about what's in the product and what's not.
Well, it's next year, and Visual Studio 2008 is getting into some public beta testing. Can you talk a little more about this problem and the upcoming edition of VS 2008?
This is a problem that isn't going away and there appears to be issues with the code provided in KB 925521. I get the unhandled error “The instruction at 0x77a8ccb3 referenced memory at 0x00000044. The memory could not be read” which is worse than useless.
After searching on the internet, I found the following webpage http://www.may.be/renewcert/ which explains that the code provided has no error handling (thanks MS). He has a version of renewcert that handles errors more gracefully.
However, when I run that version I get error “PFXImportCertStore failed with error 0x56: The specified network password is not correct.” and therefore fails. I have no idea why a network password is required, since all resources are stored locally.
Can someone from Microsoft fix these issues? I know it has been addressed in VS 2008, but you still need to support VS 2005 users. Please develop a robust renewcert app, then allow users to get it via the MS download center without having to compile the app in C++ since not all users have the ability/knowledge to do this.
Also, as has been pointed out earlier the "renewcert <OldCertificate>.pfx <NewCertificate>.pfx \"CN=<NewCertificateName>\" <Password>" command line example is confusing to some users in KB 925521 so please spend some time cleaning up the documentation.
Figured out the problem for the error I got. I had neglected to provide the certificate password on the command line. My previous comments still stand true however, not all people using this utility are C++ developers.
Could someone explain to me how this issue "has been addressed in VS 2008"?
=================================================
Answering my own question now that I've found the 'solution'.
The answer is that as long as the client has Framework 3.5 installed, it just works.
Now, I did copy the program's project to VS2008's project area and opened it in VS2008. VS2008 upgraded the project but I kept Framework 2.0 as the 'Target' framework.
The project had a now-expired certificate assigned. I changed its assignment to a newer certificate that won't expire until next August.
I then published it. I was warned that the publish location contains an assembly signed with a different certificate and asked if I want to overwrite it. I overwrote it.
I went to a client machine that already had the program installed (using Clickonce) so that the program would try to update itself when run. The client machine just had Framework 3.5 installed. Previously, this machine had only Framework 2.0 installed and the Clickonce problem occured (as usual) using a different program upgraded and published from VS2008.
This time (with Framework 3.5) installed, the program updated on the client machine without any problem. The update process did, however, include the additional dialog box triggered by the Certificate that you would see if you were not upgrading but, instead, installing the program for the first time.
I do not know if deploying a program by publishing it with a new certificate from VS2005 (not VS2008) would work -- as long as the client has Framework 3.5 installed.
So, the Clickonce problem is fixed as far as I can see and nothing really special had to be done -- it just works now.
- thanks tmcrocker. I had the same question.
I just posed this question to someone "in the know". They said if the user had .Net 3.5 *OR* .Net 2.0 with SP-1 applied, it would work. I asked in reference to Visual Studio 2008, I didn't ask about VS2005.
I sent a follow-up question about .Net 3.0, but haven't received an answer yet.
The only other new thing that they changed about ClickOnce in VS2008 is that when it deploys, it can be installed with IE, Firefox, Opera, *or* Safari -- it now works with all of the browsers with no plug-ins required. I thought that was pretty cool.
RobinS.
GoldMail.com
When we run this utility, do we create the NewCertificate pfx and CN name? Is the password for the new certificate? The old certificate was created by ClickOnce so I don't know a password if that is what is to be used.
Also, is there an executable created yet or do we still have to create it ourselves?
Are you using VS2005 or VS2008? If youi're using VS2008, you won't need to do anything when you change your certificate.
Either way, you can create a new certificate by going to the signing tab under the project properties for your main project, and create a certificate there and select it to be used by your project.
RobinS.
GoldMail.com
I did create the executable based on instructions from the KB925521 site. It ran fine. In answer to my questions, the New Certificate pfx and Name are created by you. The password is for the old certificate. My certificate was created by the ClickOnce deployment process so it had no password. You just leave the password parameter blank when running the RenewCert program.
- Hi,
I found a workaround that might work for some situations. To resolve the expired cert issues.
I signed the previously deployed versions of the clickonce app with the new certificate(new .pfx file). This was done using the Mage.Exe that ships with Visual Studio 2005.
Then I deployed my new version of the clickonce app with the new certificate. This was done the usual way of deploying clickonce apps.
After this , when the user went to access the clickonce app. They would get just one dialogue that would say 'install' on it. Once they clicked install the latest version of the app would be installed on their machine.(without installing duplicate clickonce app on the machine.) After this initial install auto updates worked just like before, since the new cert was now in place.
I found this to be a much simpler solution that most of the suggestions posted.
Thank you,
Anshul.- 回答の候補に設定Anshul2000 2009年4月24日 14:57
- 回答の候補の設定解除RobinDotNetMVP, モデレータ2009年6月8日 1:39
- Except if the users had a prior version installed with the old certificate, it wouldn't update it, it would make them uninstall and reinstall it.
RobinS.
GoldMail.com - Dear Members
I have the same issue old and new certificate.
But my problem is i can't run the console applications to renew the certificates?
b/c the console shows up and vanishes immediately. and i don't understand what it means to newcertificate.pfx?
Bonger - I have VS2008 and my certificate expired....so MS didn't fix this issue in 2008??????? Is there a work around????????????
- If you are targeting the .Net 3.5 Framework and using VS2008, you can just re-sign the application and deploy a new version and the user can install it with no problems.
If you are targeting .Net 2.0 or .Net 3.0, and you have any users running Windows Vista, they will have to uninstall and reinstall, because the fix for this was included in the .Net 2.0 SP-1 and the .Net 3.5 Framework. .Net 2.0 SP-1 installs on XP, but is not available on Vista.
Here's some more info about this, and how I got around it:
http://robindotnet.wordpress.com/2009/03/30/clickonce-and-expiring-certificates/
Please note that the solution listed above about just having them install it again is not a good idea. We tried that, and got multiple entries in the start menu, like "GoldMail" and "GoldMail - 1" and the cache was all messed up.
Another thing to know is that Microsoft is now pushing the .Net 3.5 Framework out to any computer with any version of .Net on it, as part of the windows updates. So if your users have Windows Updates running automatically, and .Net 3.5 has been installed, the patch is there and you can deploy a new version with a new certificate with no problems.
RobinDotNet
Click here to visit my ClickOnce blog!
I'm not so sure this is true. I am targeting 3.5, using VS2008, I have re-signed the application (both the Click-Once manifest and the assembly) with a new certificate, published the new version and users get the following error when the add-in attempts to upgrade:
Exception: Specified argument was out of the range of valid values.
Parameter name: entryValue
************** Exception Text **************
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: entryValue
at Microsoft.VisualStudio.Tools.Applications.Deployment.RegistryStore.Retrieve(String entryName, Object entryValue, CompareDelegate compareMethod)
at Microsoft.VisualStudio.Tools.Applications.Deployment.MetadataStore.UpdateLastCheckedTime(String subscriptionID, DateTime newLastCheckedTime)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
This post also hints that VS2008/3.5 is still impacted by this issue: http://social.msdn.microsoft.com/Forums/en-US/vsto/thread/2e35c723-0182-414a-b391-548ffd878d62
Anyone else still having issues?
BrianIn the testing I have done, there is no problem updating the certificate and republishing a new version when targeting .Net 3.5 and using VS2008.
As noted in the link you provided, "Specified argument was out of the range of valid values" is not a certificate-expired error message.
However, I do have a question. Are you doing programmatic updates or automatic updates? Because there is no fix for programmatic updates.
RobinDotNet
Click here to visit my ClickOnce blog!- Many thanks for the quick reply.
We're doing automatic updates.
While this is not explicitly a certificate-expired error message it does seem very likely that the underlying cause is related to the updated application being signed with a new certificate.
Do you have any details (KB number, Release Note, etc) on what the specific fix in 3.5 is?
Thanks,
Brian - Is it a desktop application? Or is it a VSTO application? (I just noticed the word 'add-in' in your original post).
RobinDotNet
Click here to visit my ClickOnce blog! - From what I understand, they changed it so if you already have a certificate installed, it doesn't use it as part of the identity when checking for updates. This removed the problem when you update your application with a different certificate.
RobinDotNet
Click here to visit my ClickOnce blog! - We have a VSTO application (Outlook AddIn). I republished with the old cert before it expired and since it expired we have had not had any issues with customers using the AddIn.
So right now I have an expensive certificate that I can't use (and it would seem I don't need). If anyone from Microsoft would like to chip in on this it would be much appreciated.
Many Thanks,
Brian Are you never ever going to need to publish an update to your Add-In? Because it will continue to work until then. You can not publish anything as a ClickOnce application with an expired certificate.
You're welcome.
RobinDotNet
Click here to visit my ClickOnce blog!- Thanks for sticking with this Robin.
I certainly will have to update our Add-In so I'm hoping to find a solution before I need to do that.
Brian - It's no problem. I *completely* understand how frustating this is, as my company's certificate is about to expire again, and I have to do the whole uninstall/reinstall thing again in the next 39 days. (No pressure.)
If you are targeting .Net 3.5, you shouldn't have a problem if you just sign it with a new certificate. I'll send an e-mail to someone I know at MSFT and see if that's true for VSTO applications and post back here when I get a response.
If you're pulling updates programmatically, you *have* to uninstall/reinstall.
RobinDotNet
Click here to visit my ClickOnce blog!
Just to follow up, I did check with someone I know at MSFT, and for VSTO applications deployed with .Net 3.5/VS2008, you should be able to change the certificate without any problems. I'll have to do this by mid-September, so if I find otherwise, I'll post back.
RobinDotNet
Click here to visit my ClickOnce blog!
