none
ClickOnce deployment with SHA256 certificate - SignatureDescription could not be created for the signature algorithm supplied RRS feed

  • Question

  • I'm attempting to deploy a basic Excel add-in that has been signed with a sha256RSA code-signing certificate provided by my employer, published via ClickOnce. The add-in publishes just fine, shows an Unknown Publisher warning during install, and completely fails to load within Excel, displaying the following error:

    ************** Exception Text **************

    System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
    at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
    at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
    at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
    at System.Security.Cryptography.Xml.ManifestSignedXml.VerifyStrongNameSignature(XmlElement signatureNode)
    at System.Security.Cryptography.Xml.ManifestSignedXml.VerifySignature(X509RevocationFlag revocationFlag, X509RevocationMode revocationMode) at System.Security.Cryptography.ManifestSignatureInformation.VerifySignature(ActivationContext application, ManifestKinds manifests, X509RevocationFlag revocationFlag, X509RevocationMode revocationMode)
    at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyCertificateSignature(ActivationContext context, OnlineOfflineState offlineState, String productName, DeploymentSignatureInformation& signatureInformation)
    at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
    at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

    ********************************************

    I'm running/targeting the following software versions: Visual Studio Enterprise 2015, Update 3 (14.0.25431.01) Target .NET framework: 4.5.1 VSTO Runtime 2010 (10.0.50903) Microsoft Office Professional Plus 2013 (15.0.4569.1506) My code-signing certificate should be trusted via an intermediate certificate, but just in case, I added my code-signing certificate to the trusted publishers list. I've also signed my add-in with a SHA1 certificate, and the add-in loaded (after I enabled the content in Excel). I've read through all the forums trying to come up with a solution to this problem, but most of the answers seem to involve updating the target .NET framework or updating the VSTO Runtime tool version. However, I seem to be running software that should support native SHA256 signing. Does anyone have any experience with this issue?

    Tuesday, October 10, 2017 7:04 PM

Answers

  • Hi leprendun,

    >> So it seems that the problem is inherent to the runtime version and that updating to the latest runtime version will fix the issue.

    Do you mean installing latest runtime fix the issue on your home computer?

    I suggest you check whether below link is enough to convince management team.

    # VSTO Add-in may fail to load if signed by some SHA256 certificates [Update : Fixed with latest VSTO runtime]

    https://blogs.msdn.microsoft.com/vsod/2016/01/28/vsto-add-in-may-fail-to-load-if-signed-by-some-sha256-certificates/

    Best Regards,

    Edward 


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by leprendun Friday, October 20, 2017 11:24 AM
    Wednesday, October 18, 2017 5:16 AM

All replies

  • Hi leprendun,

    I try to find information regarding this issue and I find that this issue was there in older versions of Visual Studio.

     If you use .NET 4.5

    1. Add a reference to the System.Deployment assembly.

    2. Add the following code segment to your application:

    using System.Security.Cryptography;
    
    using System.Deployment.Internal.CodeSigning;
    
    ...
    
    protected void Application_Start(object sender, EventArgs e)
    
    {
    
    Enable SHA-256 XML signature support.
    
    CryptoConfig.AddAlgorithm(
    
    typeof(RSAPKCS1SHA256SignatureDescription),
    
    "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
    
    }
    

    Reference:

    SignatureDescription could not be created for the signature algorithm supplied

    Regards

    Deepak



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, October 11, 2017 6:52 AM
    Moderator
  • Deepak,

    Thank you for your help. I tried adding your code to the ThisAddIn_Startup method, but I still receive the error. I examined the .dll.manifest file and the DigestMethod Algorithm uses sha256 throughout.

    Additionally, the link you provided indicates that the problem was fixed with Visual Studio 2013 Update 3; my version is Visual Studio Enterprise 2015, Update 3 (14.0.25431.01), so presumably the fix should already be included in my version.

    Any other ideas?

    Thursday, October 12, 2017 11:33 AM
  • Hi leprendun,

    since the issue is little complex.

    I will try to involve some senior engineers to look in to this issue.

    they will try to investigate the issue and try to provide you the suggestions to solve the issue.

    till they contact you and provide any suggestions , please have some patience.

    thanks for your understanding.

    Regards

    Deepak


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 16, 2017 2:48 AM
    Moderator
  • Hi leprendun,

    Could you share us your project and SHA256 certificate? We will try to reproduce your issue with provided information.

    Do you install the Excel add in on the development computer? I suggest you try to install the latest VSTO Runtime.

    To check whether it is specific to Excel Add In, I suggest you create a simple console App, and deploy it with ClickOnce and this certificate, will it work after installing?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 16, 2017 8:37 AM
  • Edward,

    I am on in an enterprise environment and cannot install the latest runtime version to test. I can lobby the configuration management team to install the latest version, but they're not inclined to do so unless an actual bug is identified in the current version we have installed (10.0.50903). The add-in does not install on the development computer.

    My certificate is attached to a smart card and cannot be exported. However, I receive the same error while compiling and running a brand new VSTO Add-In (with no additional code) signed using a test sha256 certificate created with Visual Studio. Is there an email I can send the project to? I can paste code from manifest files but I can't easily upload my project to a standard file-sharing site; my environment is locked down pretty tightly.

    Both console and WPF applications run without a problem.

    Let me know if I can provide any additional information, and thanks for your help.

    Monday, October 16, 2017 6:10 PM
  • Hi leprendun,

    >> The add-in does not install on the development computer.

    To check whether it is related with Production environment, I suggest you try to install this add in with ClickOnce on development computer to see whether you will receive the same error.

    >> I receive the same error while compiling and running a brand new VSTO Add-In (with no additional code) signed using a test sha256 certificate created with Visual Studio.

    I made a test about this with VS 2015 Version 14.0.25431.01 Update 3, .Net Framework 4.5.1, VSTO Runtime 10.0.50903 and Office 2016 16.0.8625.2003 32bit, it works correctly.

    Before testing with new VSTO Add-in, have you uninstalled the old addins?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, October 17, 2017 5:18 AM
  • Edward,

    The add-in fails on the development computer; I have not tested it on other machines. All old add-ins have been uninstalled. I was able to reproduce this on my home computer using Visual Studio 2017 Community (15.3.2), VSTO Runtime 10.0.50903, a SHA256 test certificate created in Visual Studio, and Microsoft Office 3 Pro Plus (Version 1609, build 7369.2127). The repo of the project, including ClickOnce published build, is at https://github.com/FolkCoder/ExcelAddIn1.

    In my enterprise environment, add-ins must be signed by a trusted publisher in order to run (Require Application Add-ins to be signed by Trusted Publisher setting in the Office Trust Center). In my tests at home, the add-in fails only if this option is selected; if it not selected, the test project loads correctly.

    On my home computer, I installed the latest version of VSTO Runtime (10.0.60825) and re-published the project with the Require Application Add-ins to be signed by Trusted Publisher setting selected and my test certificate added to my trusted publishers list. So it seems that the problem is inherent to the runtime version and that updating to the latest runtime version will fix the issue. Is there any way this could be officially documented so that I can present it to my configuration management team?

    Tuesday, October 17, 2017 9:49 AM
  • Hi leprendun,

    >> So it seems that the problem is inherent to the runtime version and that updating to the latest runtime version will fix the issue.

    Do you mean installing latest runtime fix the issue on your home computer?

    I suggest you check whether below link is enough to convince management team.

    # VSTO Add-in may fail to load if signed by some SHA256 certificates [Update : Fixed with latest VSTO runtime]

    https://blogs.msdn.microsoft.com/vsod/2016/01/28/vsto-add-in-may-fail-to-load-if-signed-by-some-sha256-certificates/

    Best Regards,

    Edward 


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by leprendun Friday, October 20, 2017 11:24 AM
    Wednesday, October 18, 2017 5:16 AM
  • Edward,

    Thanks for the link, I hadn't come across that one before in my research. I'll present it to my management and see if we can get the updates implemented. Thank you for all your help debugging this issue.

    Friday, October 20, 2017 11:23 AM
  • Edward, I was able to get the updated version of VSTO Runtime installed on my computer; I no longer receive a signature algorithm error, but I do receive an untrusted publisher error:

    --------------------------------------------------------

    The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list.

    ************** Exception Text **************

    System.Security.SecurityException: The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list.
    at Microsoft.VisualStudio.Tools.Office.Runtime.OfficeAddInDeploymentManager.VerifyAddInTrust(ClickOnceAddInTrustEvidence evidence)
    at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
    at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

    The Zone of the assembly that failed was: MyComputer

    --------------------------------------------------------

    I have tried signing the application with my work's code-signing card as well as a test certificate generated by Visual Studio. I have added the certificates to both the Trusted Root Certification Authorities store and the Trusted Publishers store using certmgr. In the Excel Trust Center, the certificates appear in the Trusted Publishers list.

    Do you have any ideas on why the code signature is not working? Are there other possible settings that may be blocking the successful loading of the add-in?

    As always, I appreciate your help.

    Wednesday, November 15, 2017 4:34 PM