locked
Trying to overcome the "The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust." error. RRS feed

  • Question

  • Hello,

    I've been searching for an answer to this, and while there are lots of good ones, I'm afraid mine may be a little more unique.

    Using VS2010 I created an Excel Addin that I deployed through ClickOnce to our internal servers. The users, running Office 2010 ran the setup and everything was just fine.

    The users have now been upgraded to Office 2013. When they ran the setup, it is giving them this error:

    "The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list."

     I made sure I signed my project with my own certificate (using this article: http://msdn.microsoft.com/en-us/library/ff699202.aspx ) and even installed it on their machine manually. However we are still getting the error when Excel is opened.

    What I would have expected is that, when Excel is opened, you are prompted to Trust the Publisher, but that doesn't happen. Here's where it may get fun: my employer has locked down Office 2013 pretty tightly so you cannot change most of the settings in the Trust Center in Excel 2013. For example, under Add-ins -> Require Application Add-ins to be signed by Trusted Publisher is checked and also disabled (greyed out) so there is no way to uncheck it (short of a registry hack).

    I was able to set the Trusted Locations to the directory with the Add-in, but that didn't help.

    Am I doing this correctly? Is there another way to install my certificate as trusted?

    Thank you.

    ~Jenna

    Tuesday, September 23, 2014 8:53 PM

Answers

  • Hi Jenna,

         Visual Studio Tools for Office runtime does not install a solution unless the certificate of the solution is from a trusted publisher. To make it trusted publisher, one may need to add it to "Trusted Root Certification Authorities" and "Trusted Publishers" through Certificate Manager. Try the following steps and see if it helps:

    1. Run certmgr.msc

    2. Add your certificate to "Trusted Root Certification Authorities" and "Trusted Publishers".

    Check if the issue reproduces.

       The ClickOnce trust prompt allows user to take security decisions if the solution is not trusted. One can make use of the inclusion lists entries for solutions with untrusted certificates. The following link specifies the steps

    How to: Add or Remove Inclusion List Entries

    Regards,

    Anush.

    • Marked as answer by Jenna_Fire Tuesday, September 30, 2014 3:21 PM
    Monday, September 29, 2014 10:08 PM

All replies

  • Hello Jenna,

    It looks like you need to change the Trust center settings adding the publisher to the safe list. You can add the publisher to the trusted publishers list in the Trust Center:

    1. Open the file from the new publisher.
    2. Click File > Options.
    3. Click Trust Center > Trust Center Settings >Trusted Publishers.
    4. In the list, select the publisher's certificate, and then click OK.

    See Not able to install the published excel file from anther machine for more information.

    Wednesday, September 24, 2014 7:45 AM
  • Hi Jena,

    >>Here's where it may get fun: my employer has locked down Office 2013 pretty tightly so you cannot change most of the settings in the Trust Center in Excel 2013. For example, under Add-ins -> Require Application Add-ins to be signed by Trusted Publisher is checked and also disabled (greyed out) so there is no way to uncheck it (short of a registry hack).<<

    As far as I know, these option doesn’t affect the VSTO add-ins. You can get more detail about these option from link below (Trust Center Settings in the Microsoft Office System Do Not Affect Add-ins or Document-Level Customizations section):
    Specific Security Considerations for Office Solutions

    >> I was able to set the Trusted Locations to the directory with the Add-in, but that didn't help.<<

    The Trusted Locations is used for the document-level customization. For more detail about Trusted Location, you can check link below:
    Granting Trust to Documents(Trusted Locations section)

    Here is the security checking by the ClickOnce and VSTO runtime:

    I suggest that you check whether the manifest is in the IE restricted zone.

    If it is not, please check whether the trust prompting is allowed. We can configure by following the link below:
    How to: Configure the ClickOnce Trust Prompt

    You can get more detail about Securing Office Solutions from link below:
    Securing Office Solutions

    Best regards

    Fei

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, September 24, 2014 9:03 AM

  • As far as I know, these option doesn’t affect the VSTO add-ins. You can get more detail about these option from link below (Trust Center Settings in the Microsoft Office System Do Not Affect Add-ins or Document-Level Customizations section):
    Specific Security Considerations for Office Solutions

    Fei,

    I appreciate the detailed response but I haven't gone through it yet (I will).

    However, as a test yesterday I changed the registry on the user's machine. I set the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\excel\security\requireaddinsig = 0, it was previously set to 1. Then the addin loaded.

    I don't know if I am contradicting what you said, but does that shed any light on this? Also, this is a temporary solution because I am pretty sure the next time she reboots, the Group Policy will reset the registry key back to 0.

    Thank you for the help.

    ~Jenna

    Wednesday, September 24, 2014 1:34 PM
  • Eugene,

    Thank you for great information. I will be going through it soon. I'll let you know what I find.

    Rereading your steps, I am not clear on exactly how to do that. What I mean is the application level add-in is not allowed to open. So at what point am I starting with step 1. Open the file from the new publisher?

    I did open Excel and saw that my certificate is listed under Trusted Publishers, so I don't know exactly what the issue is.

    Plus, as I made the a change to the registry to allow for Addins (see my response to Fei) I am not clear what I am doing wrong.

    Sorry I am so scattered with this, I just find it more confusing that I would expect it to be.

    ~Jenna


    • Edited by Jenna_Fire Wednesday, September 24, 2014 3:42 PM Added more infomation
    Wednesday, September 24, 2014 1:43 PM
  • Hi Jenna,

    >>Also, this is a temporary solution because I am pretty sure the next time she reboots, the Group Policy will reset the registry key back to 0.<<

    I suggest that you reopen a thread in Office 2013 and Office 365 ProPlus - IT Pro General Discussions  forum, if you have issues about suing Group Policy.

    And to find the root reason of this issue, I'm trying to involve some senior engineers into this issue and it will take some time. Your patience will be greatly appreciated.

    Sorry for any inconvenience and have a nice day!

    Best regards

    Fei 


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, September 29, 2014 9:58 AM
  • Fei,

    I really appreciate you following up on this.

    As far as the Group Policy goes, my company sets it so I will not be able to change it. Or if I do change it, on the next reboot, it will be reset to the company's policy.

    I found that after I changed the registry setting, my internal client was able to run the addin. However, after a couple of days, when she opened Excel she was prompted with a message saying that there were no rights to run the addin. 

    I had to change the registry setting back, uninstall the addin, reinstall it and she was up and running again.

    I am pursing this in house as well. If I find more information, I will let post it here.

    Thank you so much for the help.

    ~Jenna

    Monday, September 29, 2014 4:49 PM
  • Hi Jenna,

         Visual Studio Tools for Office runtime does not install a solution unless the certificate of the solution is from a trusted publisher. To make it trusted publisher, one may need to add it to "Trusted Root Certification Authorities" and "Trusted Publishers" through Certificate Manager. Try the following steps and see if it helps:

    1. Run certmgr.msc

    2. Add your certificate to "Trusted Root Certification Authorities" and "Trusted Publishers".

    Check if the issue reproduces.

       The ClickOnce trust prompt allows user to take security decisions if the solution is not trusted. One can make use of the inclusion lists entries for solutions with untrusted certificates. The following link specifies the steps

    How to: Add or Remove Inclusion List Entries

    Regards,

    Anush.

    • Marked as answer by Jenna_Fire Tuesday, September 30, 2014 3:21 PM
    Monday, September 29, 2014 10:08 PM
  • Anush,

    It worked! Previously, I had added the certificate to Trusted Publishers, but I didn't add it to the Trusted Root Certificate Authorities, because I didn't think I could, because it is not a paid for Certificate from CA.

    So I added it to the Trusted Root Certificate Authorities and it installed!

    Thank you so much for the help.

    ~Jenna

    p.s. I was looking at the link you included, and I am a little confused on that.  

    In order to get this to work, I had to copy the certificate from a USB drive to her machine and then install it manually with certmgr.msc. Does the Inclusion List allow you to place the Certificate in the the Trusted Publishers and Trusted Root Certificate Authorities in the setup? If so, even though the user is prompted whether or not to trust the add-in, doesn't take away from the security?

    I think I am missing something simple here.

    Tuesday, September 30, 2014 3:21 PM
  • Hey Jenna,

             Inclusion list is not a way to trust  certificates. It is used to control the Click Once Prompting level and it allows to decide whether end-user should be prompted for trust. This ideally should be done by an Administrator. For more details about certifcates, adding or removing certificates you can refer the following link

    X509Store Class

    Regards,

    Anush.

    • Proposed as answer by AnushRudaa Tuesday, September 30, 2014 8:48 PM
    Tuesday, September 30, 2014 8:48 PM