Office 2010 VSTO with SHA256 certificate AND timestamp, targeting NET 4.0 and NET >= 4.5 RRS feed

  • Question

  • Hello,

    We are deploying an application to customers which also provides a document level Word 2010 Add-in (DOTX).

    Until now we were targeting XP and Win7 and NET 4.0. We could not deploy the Add-in in the program files directory because otherwise new documents derived from the template would have to be saved in this directory which is not an option. So we had to sign the VSTO with a certificate (SHA1). Unfortunately we did not know we had to timestamp it, which opened a can of worms...

    A short while ago this certificate expired and we received a new one from our CA, this time using SHA2. Also we would like to add support for Win10 64-bit.

    Using our current build environment, Visual Studio 2010, there was no way to make the VSTO work for NET 4.0, particularly when using a timestamp. Even when resigning the VSTO using the latest version of mage.exe from the Windows 10 SDK we were getting the "Unknown Publisher" dialog.

    Testing with a minimal project (default Word 2010 DOTX project but using a valid certificate) the only way to make this work for NET 4.0 was using Visual Studio 2015. That VSTO was running fine on all test machines even when setting the date on the test machines (disconnected from the internet) far to the future and beyond the expiration date of the certificate. As mentioned, resigning with mage.exe did not work, regardless of version used (tried the one coming with VS2010, VS2012 and VS2015).

    That would be my first question: Does signing a Word 2010 document level Add-In with timestamp and SHA2 and targeting NET 4.0 necessarily require Visual Studio 2015 (or perhaps 2013 SP3) and does mage.exe no longer support resigning for these types of projects?

    Then, encouraged by the success at least with Visual Studio 2015, the question arose whether we should update our entire application to NET 4.5 or higher.

    However, the same minimal project (Word 2010 DOTX default template with valid certificate and timestamp) targeting NET 4.5 or higher did not work on our test machines (again disconnected from the internet). Either the "Unknown Publisher" dialog popped up immediately or it popped up the moment the date was changed beyond +- 7 days from "now", even if that date was still in the range of the certificate's validity.

    Second question: What is the deal with signing, with timestamp, 2010 VSTOs targeting NET 4.5 or higher? Do these kind of projects have to target NET 4.0 (but then why offering these under the NET 4.5 and higher templates)?

    As for deployment, just in case that should matter: We are using InstallShield which, as far as the VSTO is concerned, copies the files to their destination on the target machine. So all testing with the minimal projects mentioned above was done by simply copying the projects' output to the test machines.

    Thursday, January 28, 2016 10:15 AM


  • Hi C_K,

    This forum is used to discuss and ask questions about using Visual Studio to create managed code solutions for Microsoft Office, your issue is related with deploying VSTO product. Since InstallShield is not supported, I suggest you use ClickOnce or Windows Installer to deploy Office solution which is recommended way.

    For more information about deploying an Office solution, you could refer the link below:
    # Deploying an Office Solution

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, January 29, 2016 5:24 AM