locked
GoDaddy certificate and click once WPF Browser App issue RRS feed

  • Question

  • Hi Guys!

    It looks like we are having some issue with signing click once manifest. In our WPF browser application for .NET 3.5 + VS2008 we do some client side executed code. The clients are supposed to open (install) this application from our Corporate Secure Website. 

    So when I select "Sign the clickonce manifest" and install my test certificate to Client's browser it is ok. But this is not we want: we would like the application to run on any client's machine without the spending hours of our techs to install these certificates.

    So we bought  GoDaddy certificate for Code Signing:

    Code Signing (1.3.6.1.5.5.7.3.3)

    Digital Signature (80)

     

    After using this certificate to sign manifest nothing happens (still get unsafe software error in IE). Until we manually add this certificate to client's machine we have the same security error. So what is the sence in these certificates then? As I understand, when you have a certificate issued by CA it must be accepted silently and an application should work.

    What am I doing wrong? 

    The only gap may be here is that I dont sign my Assembly using this certificate (sign assembly checkbox). I cannot do it because when I select the same certificate file, insert password, VS 2008 gives me the error:

     ---------------------------

    Error importing key

    ---------------------------

    Object already exists

    ---------------------------

    OK   

    ---------------------------

    So my assumption is that I dont have to sign assembly.

    Any ideas?

    Thanks,
    Eugene.
    Monday, June 21, 2010 1:31 PM

Answers

  • You don't have to sign the assembly.  On .NET 3.5 Sp1, you do have to get the signing certificate... whether from a legitimate certificate authority or self-generated ... into the Trusted Publisher's store.  (GoDaddy's certificate derives from Trusted Root Certificate Authorities but is not a Trusted Publisher, there are none in the store by default).

    Your options are to either figure out how to get the certificate on the customer's machine (create a special installer .application, use the SupportUrl of your .xbap to send the customer to a page with such instructions, etc), OR you could consider upgrading to .NET 4.0.  On .NET 4.0, customers would only need to be accessing the application from the Intranet or add your site to IE's "Trusted Sites" list, and could then simply click on a trust dialog to run your .xbap.  An official signing certificate is not even needed in such a scenario.

    Hope this helps,
    Matt

     


    SDET : Deployment/Hosting
    • Proposed as answer by Alexander Yudakov Monday, June 21, 2010 7:22 PM
    • Marked as answer by Eugene IS Monday, June 21, 2010 7:55 PM
    Monday, June 21, 2010 7:06 PM

All replies

  • You don't have to sign the assembly.  On .NET 3.5 Sp1, you do have to get the signing certificate... whether from a legitimate certificate authority or self-generated ... into the Trusted Publisher's store.  (GoDaddy's certificate derives from Trusted Root Certificate Authorities but is not a Trusted Publisher, there are none in the store by default).

    Your options are to either figure out how to get the certificate on the customer's machine (create a special installer .application, use the SupportUrl of your .xbap to send the customer to a page with such instructions, etc), OR you could consider upgrading to .NET 4.0.  On .NET 4.0, customers would only need to be accessing the application from the Intranet or add your site to IE's "Trusted Sites" list, and could then simply click on a trust dialog to run your .xbap.  An official signing certificate is not even needed in such a scenario.

    Hope this helps,
    Matt

     


    SDET : Deployment/Hosting
    • Proposed as answer by Alexander Yudakov Monday, June 21, 2010 7:22 PM
    • Marked as answer by Eugene IS Monday, June 21, 2010 7:55 PM
    Monday, June 21, 2010 7:06 PM
  • Thanks Matt!

     

    MS is quite equivocal in the documentation about this topic. We are in the process of upgrading to .NET 4.0 so I will just opt for "Trusted Sites" solution.

     

    Thanks,

    Eugene.

    Monday, June 21, 2010 7:55 PM
  • That's the best choice for your customer's user experience... but for understanding how it works in 3.5 Sp1 I think the Trusted Application Deployment overview article does a decent job.
    SDET : Deployment/Hosting
    Monday, June 21, 2010 9:34 PM