none
How to sign a VSTO project (Outlook 2007) using VS 2010 RRS feed

  • Question

  • I've created an Outlook 2007 add-in In VS 2010 which I need to deploy to all users via the Windows Installer (MSI).  After the installer is run, Outlook will prompt with an "Unknown Publisher" prompt to install when it is opened next. 

    I've created a certificate using makecert (.cert and .pfx files).  I've added the .pfx file into the solution using project properties, signing, and selecting it under both "Sign the ClickONce manifests" and "Sign the assembly".  Finally, I've added my cert to my local computer under both the "Truster Root Certification Authorities" and "Trusted Publishers" stores.  Unfortunately I still get the same prompt saying "Uknown Publisher".  Any ideas or suggestions?  I've seen a few posts mentioning  the use of mage but I don't know if that applies to me.  THANKS!

    Tuesday, May 22, 2012 5:33 PM

Answers

  • That cert should provide the warning on your computer and won't be trusted on any other computers. I would not attempt to use it for deployment to other users. I would purchase a valid Authenticode certificate, that should solve all the problems without trying to jump through all sorts of hoops and not get what you want at the end anyway.
     
    If you do deploy it and manage to get it trusted on other computers I think you'd still see the warning anyway.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:57552027-beac-4dfb-b332-53b9feeaf01d...
    Interesting info, thanks Ken.  My thought was that the certificate I created (using makecert) could be deployed to all users in advance of this add-in.  Do you think that would cause issues?  I saw a few other forums where this seems to be an option, although I'm not sure what negative side-effects it could cause.

    Ken Slovak MVP - Outlook
    • Marked as answer by RyanSTV Thursday, May 24, 2012 12:54 PM
    Wednesday, May 23, 2012 3:37 PM
  • Most probably Ken is right, however if you have some patience i will try to use self signed add-in to display proper publisher and let you know of the results. I think there is also another option, but i;m not sure - install .net 4.0 on machine with office 2007, recompile your add-in to use .net 4.0 and try to install it to %programfiles% - documentation says that plugin will be trusted by default in such situation but i have never tried it with office 2007 (since you control deployment you can also push installation of .net 4.0)

    • Marked as answer by RyanSTV Thursday, May 24, 2012 12:54 PM
    Thursday, May 24, 2012 6:41 AM

All replies

  • Those methods of "signing" code do what's called strong naming. For the unknown publisher message to not be shown the MSI and setup.exe if there is one need to be Authenticode signed using signcode.exe. See http://msdn.microsoft.com/en-us/library/9sh96ycy(v=vs.80).aspx
     
    FWIW, that certificate of yours doesn't trace back to a certificate authority and won't be recognized by Windows Installer as valid except where target users install the certificate themselves in their trusted certificates store. For normal deployment a certificate from an authority such as Verisign or Thawte would be used.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:0d3ab2da-779e-4735-afd0-0f4a784c60a4...

    I've created an Outlook 2007 add-in In VS 2010 which I need to deploy to all users via the Windows Installer (MSI).  After the installer is run, Outlook will prompt with an "Unknown Publisher" prompt to install when it is opened next. 

    I've created a certificate using makecert (.cert and .pfx files).  I've added the .pfx file into the solution using project properties, signing, and selecting it under both "Sign the ClickONce manifests" and "Sign the assembly".  Finally, I've added my cert to my local computer under both the "Truster Root Certification Authorities" and "Trusted Publishers" stores.  Unfortunately I still get the same prompt saying "Uknown Publisher".  Any ideas or suggestions?  I've seen a few posts mentioning  the use of mage but I don't know if that applies to me.  THANKS!


    Ken Slovak MVP - Outlook
    Tuesday, May 22, 2012 5:46 PM
  • you need to add custom setup actiom in yuor msi installer that will add entry to inclusion list during install.

    http://msdn.microsoft.com/en-us/library/bb608607.aspx

    http://msdn.microsoft.com/en-us/library/ff937654.aspx

    Tuesday, May 22, 2012 6:03 PM
  • Ken, thanks for the quick reply!  I've never used signcode.exe before so I apologize if any of my questions are a bit confusing.  From what I've read I need to use SignTool, however I'm not sure what files I'm specifically signing.  Would I sign the setup.exe and MSI files, or am I signing something within the solution? 
    Those methods of "signing" code do what's called strong naming. For the unknown publisher message to not be shown the MSI and setup.exe if there is one need to be Authenticode signed using signcode.exe. See http://msdn.microsoft.com/en-us/library/9sh96ycy(v=vs.80).aspx
    FWIW, that certificate of yours doesn't trace back to a certificate authority and won't be recognized by Windows Installer as valid except where target users install the certificate themselves in their trusted certificates store. For normal deployment a certificate from an authority such as Verisign or Thawte would be used.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:0d3ab2da-779e-4735-afd0-0f4a784c60a4...

    I've created an Outlook 2007 add-in In VS 2010 which I need to deploy to all users via the Windows Installer (MSI).  After the installer is run, Outlook will prompt with an "Unknown Publisher" prompt to install when it is opened next. 

    I've created a certificate using makecert (.cert and .pfx files).  I've added the .pfx file into the solution using project properties, signing, and selecting it under both "Sign the ClickONce manifests" and "Sign the assembly".  Finally, I've added my cert to my local computer under both the "Truster Root Certification Authorities" and "Trusted Publishers" stores.  Unfortunately I still get the same prompt saying "Uknown Publisher".  Any ideas or suggestions?  I've seen a few posts mentioning  the use of mage but I don't know if that applies to me.  THANKS!


    Ken Slovak MVP - Outlook

    Tuesday, May 22, 2012 6:11 PM
  • Hi Damian, thanks for your response.  I've followed that guide and updated my local registry however it didn't seem to change anything.  As soon as I started Outlook afterwards I again got the prompt noting the Unknown Publisher.

    you need to add custom setup actiom in yuor msi installer that will add entry to inclusion list during install.

    http://msdn.microsoft.com/en-us/library/bb608607.aspx

    http://msdn.microsoft.com/en-us/library/ff937654.aspx


    Tuesday, May 22, 2012 6:18 PM
  • please show code for your custom action in installer and write here entries that appear in your registry after installation.
    Tuesday, May 22, 2012 6:35 PM
  • You would sign both the setup.exe and the MSI. That way if someone were to run just the MSI they wouldn't get the warning and the same applies if they run setup.exe, which runs the MSI by chaining after checking for prerequisites.
     
    I usually use a bat file in a folder where I have signcode.exe installed, along with some other signing and certificate tools. My bat file looks like this, I call it with the name of what I want signed:
     
    c:\codesigning\signcode.exe -spc mycredentials.spc -v myprivatekey.pvk -t http://timestamp.verisign.com/scripts/timstamp.dll %1
    The certificate SPC and PVK files are the private and public key files for my certificate, the -t argument time stamps the certificate signature.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:8fbf216a-a503-41e3-8905-e0898d92ef6d...
    Ken, thanks for the quick reply!  I've never used signcode.exe before so I apologize if any of my questions are a bit confusing.  From what I've read I need to use SignTool, however I'm not sure what files I'm specifically signing.  Would I sign the setup.exe and MSI files, or am I signing something within the solution? 

    Ken Slovak MVP - Outlook
    Tuesday, May 22, 2012 6:44 PM
  • I've signed both files as you suggested and unfortunately it doesn't appear to have fixed the issue.  It looks like it's signed correctly as I now have a Digital Signatures tab with the certificate listed when I look in the properties of each file.  Perhaps I didn't install my certificate correctly on my computer?  Although when I click View Certificate from within the file properites it does say "This certificate is OK" which I don't think it'll say if it's not installed.  Thanks again for all of your assistance.
    You would sign both the setup.exe and the MSI. That way if someone were to run just the MSI they wouldn't get the warning and the same applies if they run setup.exe, which runs the MSI by chaining after checking for prerequisites.
    I usually use a bat file in a folder where I have signcode.exe installed, along with some other signing and certificate tools. My bat file looks like this, I call it with the name of what I want signed:
    c:\codesigning\signcode.exe -spc mycredentials.spc -v myprivatekey.pvk -t http://timestamp.verisign.com/scripts/timstamp.dll %1
    The certificate SPC and PVK files are the private and public key files for my certificate, the -t argument time stamps the certificate signature.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:8fbf216a-a503-41e3-8905-e0898d92ef6d...
    Ken, thanks for the quick reply!  I've never used signcode.exe before so I apologize if any of my questions are a bit confusing.  From what I've read I need to use SignTool, however I'm not sure what files I'm specifically signing.  Would I sign the setup.exe and MSI files, or am I signing something within the solution? 

    Ken Slovak MVP - Outlook

    Tuesday, May 22, 2012 7:05 PM
  • A certificate can be OK but not installed in a certificates store or be trusted.
     
    Look in the Trust Center in the Trusted Publishers tab and see if your cert is trusted. Also check in the Macro Settings tab to see what your settings are and what the state of the "Apply macro security settings to installed add-ins" checkbox is.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:0bef33c9-10fb-4209-bbd8-88075c01cacb...
    I've signed both files as you suggested and unfortunately it doesn't appear to have fixed the issue.  It looks like it's signed correctly as I now have a Digital Signatures tab with the certificate listed when I look in the properties of each file.  Perhaps I didn't install my certificate correctly on my computer?  Although when I click View Certificate from within the file properites it does say "This certificate is OK" which I don't think it'll say if it's not installed.  Thanks again for all of your assistance.

    Ken Slovak MVP - Outlook
    Tuesday, May 22, 2012 7:57 PM
  • My certificate is showing in the Trusted Publishers tab.  Is there anything within here I should be checking for?

    The macro security setting is unchecked.

    A certificate can be OK but not installed in a certificates store or be trusted.
    Look in the Trust Center in the Trusted Publishers tab and see if your cert is trusted. Also check in the Macro Settings tab to see what your settings are and what the state of the "Apply macro security settings to installed add-ins" checkbox is.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007

    Ken Slovak MVP - Outlook


    Tuesday, May 22, 2012 8:29 PM
  • Silly question, what does the Programmatic Access tab in Trust Center show?

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:22acfd72-9218-46c6-991e-c66a37f2ad8e...

    My certificate is showing in the Trusted Publishers tab.  Is there anything within here I should be checking for?

    The macro security setting is unchecked.


    Ken Slovak MVP - Outlook
    Tuesday, May 22, 2012 10:03 PM
  • Ryan, could yuo please verify (for example by showing to us) that your custom action for inclusion list actually runs and adds proper values to registry? This window about trusting plugin to run for first time can be avoided using inclusion list, but this is per-user setting, so there are 2 scenarios:

    1. you are content with single user (as no-one else will use that computer) so inclusion list should do the trick

    2. installer runs unattended (admin installation) and normal user(s) will use that computer. This way they will get this window (unless you you unsupported Install/Office hack in registry) but with proper certificate used for signing your add-in you will get your name there, not unknown publisher

    Wednesday, May 23, 2012 6:49 AM
  • The Programmatic Access tab has the first option labeled "Warn me.." selected.
    Silly question, what does the Programmatic Access tab in Trust Center show?

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:22acfd72-9218-46c6-991e-c66a37f2ad8e...

    My certificate is showing in the Trusted Publishers tab.  Is there anything within here I should be checking for?

    The macro security setting is unchecked.


    Ken Slovak MVP - Outlook

    Wednesday, May 23, 2012 12:09 PM
  • Hi Damian, maybe this is my problem.  I don't have a custom action for inclusion list that I am aware of.  Is this needed for the Windows Installer (MSI)?  As far as the 2 scenario's you list, my intention was to push this MSI file out to all users (via SCCM) so it would be installed without any intervention or confusion from the end users.

    Ryan, could yuo please verify (for example by showing to us) that your custom action for inclusion list actually runs and adds proper values to registry? This window about trusting plugin to run for first time can be avoided using inclusion list, but this is per-user setting, so there are 2 scenarios:

    1. you are content with single user (as no-one else will use that computer) so inclusion list should do the trick

    2. installer runs unattended (admin installation) and normal user(s) will use that computer. This way they will get this window (unless you you unsupported Install/Office hack in registry) but with proper certificate used for signing your add-in you will get your name there, not unknown publisher



    • Edited by RyanSTV Wednesday, May 23, 2012 12:11 PM
    Wednesday, May 23, 2012 12:10 PM
  • without inclusion list you will get this window on first outlook opening after installation, but since you will push it through unatended installation to all users on computer, it will not help you much.

    So either:

    1. buy code signing certificate so you will get your name in that window

    2. use self signed one (visual studio creates this one) but you will have to push it to organization's trusted root certification authorities and trusted publishers (and of course make sure that proper values are in that certificate filled - do not know if VS does this correctly, maybe you will have to generate one by hand with CN filled with proper values)

    Wednesday, May 23, 2012 1:25 PM
  • I created a certificate using makecert which I used to sign the solution.  I installed the certificate on my local machine in the "Trusted Root Certification Authorities" and "Trusted Publishers" stores.  The certificate shows as "OK" when I view it and it has an expiration of 1/1/2099, so I think it's all valid.  Even with this when I try to install my add-in on this computer I get the Unknown Publisher prompt.

    without inclusion list you will get this window on first outlook opening after installation, but since you will push it through unatended installation to all users on computer, it will not help you much.

    So either:

    1. buy code signing certificate so you will get your name in that window

    2. use self signed one (visual studio creates this one) but you will have to push it to organization's trusted root certification authorities and trusted publishers (and of course make sure that proper values are in that certificate filled - do not know if VS does this correctly, maybe you will have to generate one by hand with CN filled with proper values)


    Wednesday, May 23, 2012 1:34 PM
  • So you don't have an up to date anti-virus program? See what happens if you change that setting temporarily to never warn. Then exit and restart Outlook.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:56df89c5-cbb7-44d0-a035-eea23a359fb5...
    The Programmatic Access tab has the first option labeled "Warn me.." selected.
    Silly question, what does the Programmatic Access tab in Trust Center show?

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:22acfd72-9218-46c6-991e-c66a37f2ad8e...

    My certificate is showing in the Trusted Publishers tab.  Is there anything within here I should be checking for?

    The macro security setting is unchecked.


    Ken Slovak MVP - Outlook


    Ken Slovak MVP - Outlook
    Wednesday, May 23, 2012 1:40 PM
  • I've never created or used an inclusion list myself and don't see that warning in any of my VSTO addins. But the certificates I use to sign things with are either my own Thawte cert, or customer's certs which are usually Verisign or Thawte, although I've seen others such as GoDaddy and so on.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "DamianD" <=?utf-8?B?RGFtaWFuRA==?=> wrote in message news:4f200a1e-f4d0-4849-a774-2705fab15da8...

    without inclusion list you will get this window on first outlook opening after installation, but since you will push it through unatended installation to all users on computer, it will not help you much.

    So either:

    1. buy code signing certificate so you will get your name in that window

    2. use self signed one (visual studio creates this one) but you will have to push it to organization's trusted root certification authorities and trusted publishers (and of course make sure that proper values are in that certificate filled - do not know if VS does this correctly, maybe you will have to generate one by hand with CN filled with proper values)


    Ken Slovak MVP - Outlook
    Wednesday, May 23, 2012 1:41 PM
  • I do have an up to date anti-virus program.  I tried changing the setting as you suggested... unfortunately I still get the same Unknown Publisher prompt.  I'm wondering if I created or installed my certificate incorrectly.  Do you know of any good references I can follow to create a new certificate and try this all from step 1?
    So you don't have an up to date anti-virus program? See what happens if you change that setting temporarily to never warn. Then exit and restart Outlook.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007

    Ken Slovak MVP - Outlook

    Wednesday, May 23, 2012 1:44 PM
  • as Ken i use one i bought so i never actually deployed self signed to external organization.

    Some questions though:

    1. did you deploy your cert to enterprise store (both trusted publishers and root CA), not your local one?

    2. did you verify that your self-sgined one created by VS has proper CN filled?

    Wednesday, May 23, 2012 1:55 PM
  • Deployment of a self-cert is not supported of course. It's only for the machine where it was created. See the dialog when a self-cert is created, as shown in http://www.howto-outlook.com/howto/selfcert.htm. It clearly states that it will produce warnings and will only be trusted where created.
     
    I'm not sure that even an inclusion list, or deploying the cert to an enterprise trusted store would be enough, that's the question.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "DamianD" <=?utf-8?B?RGFtaWFuRA==?=> wrote in message news:6c374fc9-296d-406a-8fec-4ca12149015e...

    as Ken i use one i bought so i never actually deployed self signed to external organization.

    Some questions though:

    1. did you deploy your cert to enterprise store (both trusted publishers and root CA), not your local one?

    2. did you verify that your self-sgined one created by VS has proper CN filled?


    Ken Slovak MVP - Outlook
    Wednesday, May 23, 2012 2:12 PM
  • 1.  I only installed the certificate on my local computer ("Trusted Root Certification Authorities" and "Trusted Publishers" stores). 

    2. I used "makecert" to create the certificate, not VS.  It appears to have all of the needed information populated including the CN.

    as Ken i use one i bought so i never actually deployed self signed to external organization.

    Some questions though:

    1. did you deploy your cert to enterprise store (both trusted publishers and root CA), not your local one?

    2. did you verify that your self-sgined one created by VS has proper CN filled?


    Wednesday, May 23, 2012 2:54 PM
  • Interesting info, thanks Ken.  My thought was that the certificate I created (using makecert) could be deployed to all users in advance of this add-in.  Do you think that would cause issues?  I saw a few other forums where this seems to be an option, although I'm not sure what negative side-effects it could cause.
    Deployment of a self-cert is not supported of course. It's only for the machine where it was created. See the dialog when a self-cert is created, as shown in http://www.howto-outlook.com/howto/selfcert.htm. It clearly states that it will produce warnings and will only be trusted where created.
    I'm not sure that even an inclusion list, or deploying the cert to an enterprise trusted store would be enough, that's the question.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
    "DamianD" <=?utf-8?B?RGFtaWFuRA==?=> wrote in message news:6c374fc9-296d-406a-8fec-4ca12149015e...

    as Ken i use one i bought so i never actually deployed self signed to external organization.

    Some questions though:

    1. did you deploy your cert to enterprise store (both trusted publishers and root CA), not your local one?

    2. did you verify that your self-sgined one created by VS has proper CN filled?


    Ken Slovak MVP - Outlook

    Wednesday, May 23, 2012 2:56 PM
  • That cert should provide the warning on your computer and won't be trusted on any other computers. I would not attempt to use it for deployment to other users. I would purchase a valid Authenticode certificate, that should solve all the problems without trying to jump through all sorts of hoops and not get what you want at the end anyway.
     
    If you do deploy it and manage to get it trusted on other computers I think you'd still see the warning anyway.

    --
    Ken Slovak
    MVP - Outlook
    http://www.slovaktech.com
    Author: Professional Programming Outlook 2007
     
     
    "RyanSTV" <=?utf-8?B?UnlhblNUVg==?=> wrote in message news:57552027-beac-4dfb-b332-53b9feeaf01d...
    Interesting info, thanks Ken.  My thought was that the certificate I created (using makecert) could be deployed to all users in advance of this add-in.  Do you think that would cause issues?  I saw a few other forums where this seems to be an option, although I'm not sure what negative side-effects it could cause.

    Ken Slovak MVP - Outlook
    • Marked as answer by RyanSTV Thursday, May 24, 2012 12:54 PM
    Wednesday, May 23, 2012 3:37 PM
  • Most probably Ken is right, however if you have some patience i will try to use self signed add-in to display proper publisher and let you know of the results. I think there is also another option, but i;m not sure - install .net 4.0 on machine with office 2007, recompile your add-in to use .net 4.0 and try to install it to %programfiles% - documentation says that plugin will be trusted by default in such situation but i have never tried it with office 2007 (since you control deployment you can also push installation of .net 4.0)

    • Marked as answer by RyanSTV Thursday, May 24, 2012 12:54 PM
    Thursday, May 24, 2012 6:41 AM
  • Damian, that seems to have done the trick!  THANK YOU!  By having the project install to the Program Files directory it is no longer showing the Unknown Publisher prompt.  This is a perfect solution for me since I can control this deployment along with the .net 4.0 push.

    Most probably Ken is right, however if you have some patience i will try to use self signed add-in to display proper publisher and let you know of the results. I think there is also another option, but i;m not sure - install .net 4.0 on machine with office 2007, recompile your add-in to use .net 4.0 and try to install it to %programfiles% - documentation says that plugin will be trusted by default in such situation but i have never tried it with office 2007 (since you control deployment you can also push installation of .net 4.0)


    Thursday, May 24, 2012 12:55 PM