none
Handling an expired ClickOnce signing certificate for a VSTO Addin

    Question

  • I'm working on a VSTO (3.0), Word 2007 (application-level) ClickOnce-deployed AddIn using Visual Studio 2008 SP1. We have released and deployed a version of the application using ClickOnce; the ClickOnce deployment and manifest have been signed with a test certificate created via Visual Studio. This certificate was originally generated from VS2005SE and has since expired.

    Realizing that we are now unable to create/sign the ClickOnce for the application due to the expired certificate, we obtained a new certificate from Thawte. We are now able to sign and create a new ClickOnce deployment for the new version of the application.

    However, we have encountered a problem when an existing installation of the application (old version installed via ClickOnce, signed with the expired test certificate) checks for updates after the new ClickOnce files have been installed alongside the original ones. In this case, an exception is thrown from the (Word Addin) application when it starts, stating the following:

        Specified argument was out of the range of valid values.
        Parameter name: entryValue

        Exception Text
        System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
        Parameter name: entryValue
          at Microsoft.VisualStudio.Tools.Applications.Deployment.RegistryStore.Retrieve(String entryName, Object entryValue, CompareDelegate compareMethod)
          at Microsoft.VisualStudio.Tools.Applications.Deployment.MetadataStore.UpdateLastCheckedTime(String subscriptionID, DateTime newLastCheckedTime)
          at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

    After this error occurs, the Word Addin is disabled. If the new ClickOnce deployment is removed, leaving only the original one, then the Addin can be re-enabled and it functions normally again, just not upgraded.

    With the change in ClickOnce signing certificates, I was expecting to see an error like, The deployment identity does not match the subscription. So I am not 100% convinced that this particular error that I am experiencing is due to the change of ClickOnce signing certificates or not.

    Questions:

    1. Can anyone verify that this error is in fact due to signing the upgraded deployment with a new certificate or something else entirely?
    2. Can a completely new certificate be used to sign a ClickOnce application and have it be upgraded automatically without any uninstall/reinstall?
    3. If not, can a "renewed" certificate from Thawte or VeriSign containing new public/private keys maintain ClickOnce upgradability?
    4. In any case, what approach does Microsoft recommend for upgrading ClickOnce applications signed with an expired certificate?

    Notes:

    • The Addin in this case is configured to check for updates every time it runs.
    • The same behavior has been experienced using a code signing certificate from Thawte and generating a new certificate via Visual Studio.
    • I saw that this old post discussed a similar issue, however most of the discussion refers to VS2005 and does not mention this particular error message.
    • The error I am seeing suggests that the Addin is attempting to update the registry with the "last checked time" but fails because it cannot find the correct registry key. I believe that the registry key used here might have something to do with the ClickOnce signing certificate, although I am not sure.

    Any information you can provide regarding this issue would be greatly appreciated.


    Thanks,
    Harry Sauers

    Thursday, April 02, 2009 7:08 PM

Answers

  • Hello,

    If we just talk about the 
    Specified argument was out of the range of valid values.
        Parameter name: entryValue
    this is not a issue which caused by a expired certificate.
    Here's a thread which discuss the same issue:
    http://social.msdn.microsoft.com/forums/en-US/winformssetup/thread/60bf2273-c95d-4e69-84b6-433d2bb6f282/

    To your questions:

    The issue which KB 925521 mentioned is fixed in Orcas.
    As far as I know there's no documentation on this.
    WinForms ClickOnce and VSTO ClickOnce are related, but not exactly the same.

    Thanks



    We have published a VSTO FAQ recently, you can view them from the entry thread VSTO FAQ.
    If you have any feedbacks or suggestions on this FAQ, please feel free to write us emails to colbertz@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Tim Li Friday, April 10, 2009 2:48 AM
    Thursday, April 09, 2009 8:40 AM
  • However, we could try to uninstall and reinstall the solution as KB 925521 shows, also, we could directly try to install the new version to overwrite the old one.

    Thanks


    We have published a VSTO FAQ recently, you can view them from the entry thread VSTO FAQ.
    If you have any feedbacks or suggestions on this FAQ, please feel free to write us emails to colbertz@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Harry Sauers Monday, April 13, 2009 12:50 PM
    Thursday, April 09, 2009 8:45 AM

All replies

  • Hello Harry,

    Your question 1 and 4 is answer in this KB article:
    http://support.microsoft.com/default.aspx/kb/925521/en-us

    And here is a guide to resolve your issue :
    http://blogs.msdn.com/danielma/archive/2007/03/19/clickonce-and-expired-certificates.aspx.

    Also,the link of an old post in your post is broken......
    Thanks
    We have published a VSTO FAQ recently, you can view them from the entry thread VSTO FAQ.
    If you have any feedbacks or suggestions on this FAQ, please feel free to write us emails to colbertz@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Tuesday, April 07, 2009 8:40 AM
  • Realizing that we are now unable to create/sign the ClickOnce for the application due to the expired certificate, we obtained a new certificate from Thawte. We are now able to sign and create a new ClickOnce deployment for the new version of the application.

    However, we have encountered a problem when an existing installation of the application (old version installed via ClickOnce, signed with the expired test certificate) checks for updates after the new ClickOnce files have been installed alongside the original ones. In this case, an exception is thrown from the (Word Addin) application when it starts, stating the following:



    So just to clarify this statement....did you republish to the same location or did you publish to a slightly different location with the new certificate?  If you want to update the certificate you must publish to the same location exactly with a new version number.

    Ie:
    if your initial path is http://foo/foo/solution.vsto (with files exisitng in solution_1_0_0_0)
    (same) is your new certificate published to http://foo/foo/solution.vsto (with files existing in solution_1_0_0_1)
    OR
    (slightly different) is your new certificate published to http://foo/foo/solution2.vsto

    The first one is correct, the second one is not.  VSTO does not allow you to publish a solution to 2 different locations and install it from both.
    Tuesday, April 07, 2009 6:34 PM
    Answerer
  • Thanks for the good information Tim and Kris.

    Regarding Tim's points:
    So, I had come across the KB article you mentioned previously but was not sure if it applied to my case since I am using Visual Studio 2008 and the KB article appears to apply to Visual Studio 2005; some posts I have come across suggest that a similar issue was fixed with VS2008. Also, the error message described in the KB article is not the error message I am seeing.

    The link you provided to the MSDN blog is also very good. However, it also suggests that the issue may have been fixed in Visual Studio 2008 (Orcas); the Summary paragraph towards the end suggests this. The options presented sound like a reasonable solution to the problem described. However, given the fact that my issue involves VS2008 and a different error message, it is not clear to me that these solutions will necessarily resolve the issue I have encountered.

    • Can you verify that the issue is still an issue when using Visual Studio 2008 and that the error message I am encountering, "Specified argument was out of the range of valid values" is in fact a known symptom of this issue?
    • Is there any documentation (I could not find any) to suggest precisely what was fixed in VS2008 regarding expired ClickOnce signing certificates?
    • Is the fact that this is a VSTO ClickOnce application significant? I.e. is the different error message expected in this scenario since it is a VSTO ClickOnce?

    Note that the application signed with a certificate that has since expired still works fine. The error occurs only when trying to upgrade (via ClickOnce) to a new version of the application that has been signed with a new, not-yet-expired certificate. 

    The full link to the "old post" I referred to previously:
    http://social.msdn.microsoft.com/forums/en-US/winformssetup/thread/bb548d01-75ba-4236-bc96-9d409e2fe49e/


    Regarding the publish location:
    The same location was used for the new version of the application, signed with the new certificate. We used a UNC path in this particular case:

    Initial path: \\server\foo\foo\mywordaddin.vsto with files in mywordaddin_1_1_0_0
    New path (signed with new cert): \\server\foo\foo\mywordaddin.vsto with files in mywordaddin_1_1_0_1

    So I believe we are using the correct one. However, since you asked this, it is probably important to note that the initial (previous version) files are wiped clean in the publish process for the new version. So usually, the old version's ClickOnce "Application Files" files exist alongside of the new version's files. However in this case, only the new files exist due to an issue with the installer publishing these ClickOnce files and other things on to the server. This same process has worked in the past for the VSTO upgrade before we changed the signing certificate. I am not sure how relevant this is, but I thought I would mention it any way.


    Thanks again,
    Harry

    Wednesday, April 08, 2009 1:10 PM
  • Hello,

    If we just talk about the 
    Specified argument was out of the range of valid values.
        Parameter name: entryValue
    this is not a issue which caused by a expired certificate.
    Here's a thread which discuss the same issue:
    http://social.msdn.microsoft.com/forums/en-US/winformssetup/thread/60bf2273-c95d-4e69-84b6-433d2bb6f282/

    To your questions:

    The issue which KB 925521 mentioned is fixed in Orcas.
    As far as I know there's no documentation on this.
    WinForms ClickOnce and VSTO ClickOnce are related, but not exactly the same.

    Thanks



    We have published a VSTO FAQ recently, you can view them from the entry thread VSTO FAQ.
    If you have any feedbacks or suggestions on this FAQ, please feel free to write us emails to colbertz@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Tim Li Friday, April 10, 2009 2:48 AM
    Thursday, April 09, 2009 8:40 AM
  • However, we could try to uninstall and reinstall the solution as KB 925521 shows, also, we could directly try to install the new version to overwrite the old one.

    Thanks


    We have published a VSTO FAQ recently, you can view them from the entry thread VSTO FAQ.
    If you have any feedbacks or suggestions on this FAQ, please feel free to write us emails to colbertz@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by Harry Sauers Monday, April 13, 2009 12:50 PM
    Thursday, April 09, 2009 8:45 AM
  • Thanks for your help.

    Tim, I had seen the thread you mentioned about the specific "Specified argument was out of the range of valid values" error; I do not believe the issue I am experiencing has the same solution as the one mentioned in the thread as my scenario does not involve MIME types; the ClickOnce application is being deployed over the local network, not over HTTP. In addition the same file extensions are used/deployed successfully when the ClickOnce installation is not an upgrade.

    So given that the expired ClickOnce certificate issue (KB 925521) was fixed in VS2008 and that the error message I am seeing does not appear to be necessarily related to an expired certificate, I think the only option is to uninstall and reinstall the new version created with the new certificate as that is the only solution we have found to work.

    If there is any other information about the specific error message I would be interested to know what it really means in this case.

    Thanks,
    Harry
    • Marked as answer by Harry Sauers Monday, April 13, 2009 12:49 PM
    • Unmarked as answer by Harry Sauers Monday, April 13, 2009 12:50 PM
    Monday, April 13, 2009 12:49 PM
  • Hi Harry,

    Did you find something new to fix this issue ?

    In fact, I have exaclty the same problem with a Addin pulished with ClickOnce and the only workaround is the uninstall/reinstall.
    It is not a good solution as you lost one of the main benefit of such a deployement if you need to redeploy your software every time your certificate is expired.
    I am very suprise 'coz every thread talk that Visual Studio 2008 SP1 have a fix for this.

    Regards,
    JP
    Friday, September 25, 2009 11:57 AM
  • Harry,

    I have this exact scenario and like you I feel like I have exhausted any suggestions found online.  Did you resolve this issue?

     

    Thanks,

     

    Brian

    Friday, May 14, 2010 6:49 PM
  • Hi Guys,

     

    Any news regarding this issue?

     

    Regards,

    Alaa

    Thursday, July 01, 2010 9:27 AM
  • I had exactly the same error after deleting the registry key for the add-in.

    By publishing a new version of the add-in I could then install via clickOnce without the error.

     

    Friday, November 25, 2011 3:13 PM