none
Untrusted Publisher

    Question

  • I'm trying to install a VSTO add-in that I created in Visual Studio VB.net. The add-in won't finish installing, but gives the message:

    "The solution can not be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list."

    Upon installation, it never gives the user the option to trust the publisher; it just gives this error, and the user has to close the error window to proceed. How can I give the user to option to trust the publisher, or even make the problem not occur?


    Gina

    Tuesday, December 17, 2013 7:59 PM

Answers

All replies

  • Hello Gina,

    You get such messages due to the Trust Center settings of the host application. Please do the following steps (for Office 2013):

    1. Open the host application
    2. Go to the Options dialog
    3. Select the Trust Center tab in the dialog
    4. Click the Trust Center Settings button
    5. Select the Trusted Publishers tab in the Trust Center dialog

    Now you can see the list of trusted publishers. You can read more about trusted publishers in the Add, remove, or view a trusted publisher article. Also please take a look at the following pages:

     

    Tuesday, December 17, 2013 9:18 PM
  • Below is probably the relevant part from your link, but it doesn't work.  Under Trusted Publisher, there are no publisher's certificates to click and OK.  Should one be showing up for my addin?  If so, why doesn't it?  Again, the user never gets a prompt asking whether to trust the publisher or not.  I've read in other posts that people should get a prompt upon loading the addin.

    Add a trusted publisher via the Trust Center

    If you know that active content (macros, ActiveX controls, data connections, and so on) from a new publisher is reliable, you can add the publisher to the trusted publishers list in the Trust Center.

    1. Open the file from the new publisher.
    2. Click File > Options.
    3. Click Trust Center > Trust Center Settings > Trusted Publishers.
    4. In the list, select the publisher's certificate, and then click OK.

    Gina

    Tuesday, December 17, 2013 10:05 PM
  • Hi Gina,

    How did you deploy the add-in? If you deploy the add-in by Clickonce and publish the add-in with a temporary certificate, the end user will be prompted to make a trust decision. (Granting Trust to Office Solutions)
    I deploy the add-in by click once and when I check the option like figure below( Option->Trust Center-> Add-ins):
     
    When I install the add-in it did prompt me whether to trust the Publisher. However the error occurred when I start the Excel application. Then I uncheck the “Require Application Add-ins to be signed by Trusted Publisher” and error was disappeared.

    I suggest you trying to uncheck this option to see whether this issue was fixed.

    Best Regards

    Fei


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Gina Becker Thursday, December 19, 2013 3:36 PM
    • Unmarked as answer by Gina Becker Thursday, December 19, 2013 5:10 PM
    Thursday, December 19, 2013 1:14 PM
  • I'm using Advanced Installer.   Yes, I had already found I could make the problem not occur by clicking what you showed to click in the Trust Center. 

    But I'm afraid that clients who have this checked will be reluctant to un-check it because of fear of security problems, or else that it might be company policy to check it.

    I'm applying for a code signing certificate.  Do you think this will stop the problem?


    Gina

    Thursday, December 19, 2013 2:23 PM
  • Hello Gina,

    You are on the right avenue. The certificate should help to bridge the gap (while keeping settings turned on).

    • Marked as answer by Gina Becker Thursday, December 19, 2013 3:36 PM
    • Unmarked as answer by Gina Becker Thursday, December 19, 2013 5:10 PM
    Thursday, December 19, 2013 2:31 PM
  • I have signed the code with my purchased certificate, but I still get the error message when trying to install the software on a client's machine.


    Gina


    • Edited by Gina Becker Thursday, December 19, 2013 5:11 PM
    Thursday, December 19, 2013 5:11 PM
  • Gina,

    Did try to add a certificate the list of trusted ones?

    Thursday, December 19, 2013 6:05 PM
  • Yes, but I can find no option to do that. 

    Gina

    Thursday, December 19, 2013 8:19 PM
  • Part of the error message says,

    "The Zone of the assembly that failed was:

    MyComputer


    Gina

    Thursday, December 19, 2013 8:20 PM
  • Hi Gina,

    Thanks for sharing us with the detail information.

    Did this error message occurred when you install the Excel add-in or run to load application?

    When an Office solution is installed or updated, the Visual Studio Tools for Office runtime performs a set of security checks in a specific sequence to make a trust decision. A solution is installed or updated only if the runtime determines that the solution is trusted.

    Standalone applications are deployed using either ClickOnce or Windows Installer. Either way, standalone applications require full trust to run. Full trust is automatically granted to standalone applications that are deployed using Windows Installer. Standalone applications that are deployed using ClickOnce are not automatically granted full trust. Instead, ClickOnce displays a security warning dialog that users must accept before a standalone application is installed. If accepted, the standalone application is installed and granted full trust. If not, the standalone application is not installed.

    I suggest you using ClickOnce to deploy the Office solution to see the whether this issue is fixed.
    You can follow links below to deploy the Office solution by ClickOnce or Windows Installer:
    Deploying an Office Solution by Using ClickOnce
    Deploying an Office Solution by Using Windows Installer

    Best regards

    Fei

     

     


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, December 20, 2013 10:56 AM
  • Fei,

    The software seems to install fine, but when I open Excel, I get the error message.  During no point of installation or opening the program does the user get a warning prompt that gives the user the option of accepting the publisher or application.  The error message gives no button that the user can click to add the publisher to the Trusted Publisher list.  I think the program should prompt the user to ask if he wants to accept the program or publisher, but it does not.   I'm not sure what I'm doing wrong.  I get the same error whether I install using ClickOnce or if I install with Advanced Installer.

    Here is a picture of the error:


    Gina

    Friday, December 20, 2013 3:18 PM
  • Hello Gina,

    Thank you for providing us with a screenshot.

    You get such error message because you didn't add a certificate to the list of trusted publishers. The Plan and configure Trusted Publishers settings for Office 2013 article states the following:

    There are two methods that you can use to add a publisher’s certificate to the Trusted Publishers list: the Office Customization Tool (OCT) or Group Policy. The OCT provides no settings for managing certificates other than adding a trusted publisher’s certificate to the Trusted Publishers list. If you want to manage certificate trust or if you want to establish specific trust relationships to satisfy business scenarios, you must use Group Policy. For more information about how to add trusted publishers to the Trusted Publishers list and how to manage trusted root certificates, see Manage Trusted Root Certificates and Manage Trusted Publishers.

    Friday, December 20, 2013 3:31 PM
  • Thank you, Eugene.

    I've followed the directions in each of these documents to allow users to trust publishers and trusted root certificates.  I still get the error message.  I don't think the problem is with settings on the end users' machine.  I suspect my certificate isn't signing the application properly.

    I spent over 2 hours with a tech support person from Symantec (whom I bought the certificate from), who was able to see my desktop and guide me through procedures.  He has a lot of experience helping people set up programs (including VSTO) for use with the code signing certificates that they sell.  He said it is not normal to receive the error message I got.  Usually, when a code has been signed by a CA certificate, the user does not get any warning message and the program installs.  He said it was beyond his scope then, that I should contact Microsoft.

    In Visual Studio, project properties, the "Signing" tab, should I check both the "Sign the ClickOnce manifests" and the "Sign the assembly"?   I now only have "Sign the ClickOnce manifests" checked.  The tech guy and I tried also importing a certificate for "Sign the assembly" (we imported a version that did not include the "intermediate" certificates for this part, because that was how he had resolved other customers' issues, but the move would always give build errors.


    Gina


    p.s.  If the error were due to user settings, shouldn't the error list the name of the publisher (my company name) when discussing trusted publishers?  If my code were getting signed properly?   Because the error doesn't list my company name, I'm thinking that it's not being signed properly.  As I said, it seems to install correctly with click once, but then when I open Excel, I get this error.  I get the same error when I go to Excel Options, select the COM add-ins, select my add-in from the list, and try to attach it that way.
    • Edited by Gina Becker Friday, December 20, 2013 4:04 PM added more info
    Friday, December 20, 2013 3:58 PM
  • Eugene,Also, about your recommendation to add a certificate to the list of trusted publishers (doc Plan and configure Trusted Publisher settings):  None of that works.  I never, during any part of the process described, get a prompt that gives the option to add the publisher to the list.    I only get the error message pasted above, which gives no option to add a publisher.

    Best,

    GIna


    Gina

    Friday, December 20, 2013 4:18 PM
  • Gina,

    As far as I understand, you signed only the ClickOnce installer with your own certificate. The whole process is described in the ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer's Signing Page article in MSDN. That is why I have the following questions for you:

    1. Do your see your name (publisher's name) in the list of trusted publishers in Office after going through the steps described here?

    2. Did you have a chance to digitally sign the add-in assembly with the certificate? Note, I don't mean the strong name. Visual Studio doesn't provide any options for this, you need to use the signtool.exe utility.

    • Marked as answer by Gina Becker Saturday, December 21, 2013 1:38 PM
    Saturday, December 21, 2013 10:14 AM
  • Eugene,

    Thank you!  I am leaving town this morning for the holidays, but will have a chance to work on this in a few days.  I am pretty sure this is what I need to make this work.

    I do not see my name in the trusted publishers list unless I open the cmd prompt and add it manually.  Then the program installs fine.   I was thinking of adding a program in my installation package to do this.  I also found that I should only use the final certificate to make it work properly, not the chain of certificates including intermediates, which the CA provider said I needed.

    Thank you again.

    Gina


    Gina

    Saturday, December 21, 2013 1:38 PM