none
Unable to install any add-in signed with sha256RSA certificate RRS feed

  • Question

  • We have Word 2010 add-ins that we have been distributing with our software for some time without problems. However since we renewed our code signing certificate, we can't deploy any of our add-ins anymore. It always fails with the following exception:

     


    System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file:///C:/Users/abcd/Documents/Visual%20Studio%202012/Projects/WordAddIn1/bin/Debug/WordAddIn1.vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
       at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
       at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
       at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags)
       at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
       --- End of inner exception stack trace ---
       at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
       at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
       --- End of inner exception stack trace ---
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

     

    We've pinpointed the problem to the fact that the new certificate is with sha256RSA signature algorithm, while the old one was with sha1RSA. We use that new certificate to sign executable and MSIs as well without any problems. Putting the old cert back (still valid two weeks) works as well.

    By reproducing the problem to its simple form, we found out simply creating a new Word 2010 add-in from Visual Studio and setting the signing to our new certificate is sufficient for the VSTO to be unusable on all computers, including on the development machine that just built it (however launching it via F5 in VS2012 works).

    Creating a simple C# application and configuring ClickOnce deployment for it using the same certificate does not present any problem, it only occurs with VSTO deployment.

     

    The setup on the development machine is the following:

    • Visual Studio 2012 (therefore .NET 4.5 installed)
    • Office 2010 SP2 (x86)
    • Visual Studio 2010 Tools for Office Runtime (version 10.0.40303)
    • A valid code signing certificate with sha256RSA signature algorithm

    While the problem seems similar to http://social.msdn.microsoft.com/Forums/windows/en-US/eba424ae-f7b7-4530-bb68-db3b9972a31e/  , it is different in that we already have .NET 4.5 deployed everywhere, and it fails on the development machine as well.

    In addition, after a much more detailed investigation, it seems that the VSTOInstaller application always perform the deployment using the .NET 3.5 runtime instead of .NET 4.0. Indeed, looking at the loaded DLL/assemblies in VSTOInstaller.exe when it is displaying the error, Process Explorer shows that it loaded the 2.0 runtime instead of the 4.0. Maybe that explains why it fails on sha256 signatures, no matter what.

    Is there a known workaround to that problem? What can we do except get another sha1RSA certificate?



    • Edited by fgeo Wednesday, October 9, 2013 1:18 PM
    Wednesday, October 9, 2013 12:58 PM

Answers

  • Hi Fgeo,

    Yes, your experience (and your deduction) is correct.  Even though the add-in itself might be a 3.5 or 4.0 add-in, the presence of a SHA256 certificate currently requires that .NET 4.5 be on the machine.  The reason is that the Trust Dialog logic always uses the latest .NET version before loading the specific CLR version that's required by the add-in.  That's why you don't need to re-compile, and yet installing .NET 4.5 on the machine fixes the issue.

    By the way, the "Unknown Publisher" issue (earlier in the thread) is in fact fixed by the latest VSTO Runtime update from a few months ago (http://blogs.msdn.com/b/vsto/archive/2014/04/10/vsto-runtime-update-to-address-slow-shutdown-and-unknown-publisher-for-sha256-certificates.aspx, and also available on Microsoft Update).

    Hope this helps,

    - Michael


    Michael Zlatkovsky | Program Manager, Visual Studio Tools for Office & Apps for Office

    • Marked as answer by fgeo Thursday, June 12, 2014 6:43 PM
    Thursday, June 12, 2014 5:53 PM
    Moderator

All replies

  • Hi fgeo,

    Thank you for posting in the MSDN Forum.

    I'm trying to involve some senior engineers into this issue and it will take
    some time. Your patience will be greatly appreciated.

    Sorry for any inconvenience and have a nice day!

    Best regards,

    Fei


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, October 11, 2013 5:58 AM
    Moderator
  • Hi,

    Did you get any news from the involved engineers?

    Thank you and have a nice day,

    Wednesday, October 23, 2013 8:31 AM
  • Hi Fgeo,

    The latest runtime that just shipped with VS 2013 RTM (and which you can also download separately from http://go.microsoft.com/fwlink/?LinkId=140384) does offer some support for SHA 256 certificates.  Namely, you would not get the same error as you have above -- installation would go through.  However, even though the customization is signed, the trust prompt dialog will still display "Unknown Publisher", which is a known issue that we're currently investigating.

    Depending on your scenario (deploying in-house vs. deploying externally), this may or may not be a problem for you.

    Note that the latest runtime is needed on client machines to run these SHA256 certificates.  You can distribute the latest runtime programmatically via the Bootstrapper package.  VS 2013 RTM comes with the right version number for the latest runtime, but for older VS versions you'd need to tweak the bootstrapper file manually (see http://blogs.msdn.com/b/vsto/archive/2012/12/21/creating-a-bootstrapper-package-for-an-office-2013-vsto-add-in-with-visual-studio-2012.aspx -- and substitute 10.0.40303 in the example file with the latest runtime version 10.0.40820)

    Hope this helps,

    - Michael


    Michael Zlatkovsky | Program Manager, Visual Studio Tools for Office & Apps for Office

    • Marked as answer by fgeo Thursday, October 24, 2013 8:58 AM
    • Unmarked as answer by fgeo Thursday, June 12, 2014 6:44 PM
    Wednesday, October 23, 2013 11:52 PM
    Moderator
  • Hi Michael,

    Thank you for your answer. After testing, we see the behaviour you described, we can install the customization but it displays the "Unknown Publisher". While this is not ideal, this is not a strong blocking issue for us. It is much better than with the previous version.

    In addition, as we already deploy the runtime ourselves, we can update it in our next release of the product, updating the version of the install condition.

    We'll keep an eye for a new release that fixes the publisher issue.

    Thank you again and best regards,

    Thursday, October 24, 2013 8:58 AM
  • Hi Fgeo.

    Although your question is already some months old and you might meanwhile have successfully resolved the issue, I hope my answer can help at least other people facing this problem.

    While trying to resolve the problem we were trying lots of things to get our Word AddIn running at the customers premises. But were not able to resolve the issue. After several hours I was rereading the text of the exception carefully and noticed, that in the second line says that "Manifest XML signature is not valid". I was then googling for this text and found some hints, that the issue might be caused by fact that .NET 4.0 is not aware of the SHA256 algorithm. We then installed .NET Framework 4.5 on our customers machine and the problem was resolved.

    What puzzled me is the fact that I did not have to recompile the application under .NET 4.5 but I don't fully understand yet why not. Would be nice if someone could explain this.

    Regards,

    Marc-André

    Thursday, June 12, 2014 12:36 PM
  • Hi Marc-André,

    We've since then made major changes to this part of our software and do not use an Add-In anymore (replaced by using the Open XML SDK + Word Object Model ).

    However, while reviewing latest Windows Updates, I came accross this Update for Visual Studio 2010 Tools for Office Runtime . The second issue fixed seems very similar, so it may be fixed now.

    Best regards,

    Thursday, June 12, 2014 1:23 PM
  • Hi Fgeo,

    Yes, your experience (and your deduction) is correct.  Even though the add-in itself might be a 3.5 or 4.0 add-in, the presence of a SHA256 certificate currently requires that .NET 4.5 be on the machine.  The reason is that the Trust Dialog logic always uses the latest .NET version before loading the specific CLR version that's required by the add-in.  That's why you don't need to re-compile, and yet installing .NET 4.5 on the machine fixes the issue.

    By the way, the "Unknown Publisher" issue (earlier in the thread) is in fact fixed by the latest VSTO Runtime update from a few months ago (http://blogs.msdn.com/b/vsto/archive/2014/04/10/vsto-runtime-update-to-address-slow-shutdown-and-unknown-publisher-for-sha256-certificates.aspx, and also available on Microsoft Update).

    Hope this helps,

    - Michael


    Michael Zlatkovsky | Program Manager, Visual Studio Tools for Office & Apps for Office

    • Marked as answer by fgeo Thursday, June 12, 2014 6:43 PM
    Thursday, June 12, 2014 5:53 PM
    Moderator
  • Hello there,

    I had the same issues as you, getting my Outlook AddIn installed using a SHA256 code signing certificate.

    I am running .NET 4.5.2 on dev and client machines and using the latest VSTOs and I got the same error as you.

    Finally I was able to track down the problem. There is an issue using time stamping via ClickOnce, as ClickOnce seems to be unable to use a RFC 3161 compliant time stamping server (ClickOnce only uses the format of MS), which is IMHO necessary to get a SHA256 signing request properly time stamped.

    Solution: Do not specify a time stamping server at all if you are using ClickOnce with SHA256 certificates and it should finally work :) !

    Learned it the hard way wasting 12 hours of dev time :( !

    Solution (using signtool - not ClickOnce): If you are using signtool.exe (without ClickOnce), you should use a RFC 3161 compliant time stamping server (Google is you friend) and the following parameters:

    /fd sha256 => for SHA256 signing

    /tr "http://your.timestamping-server.url" => don't use the /t parameter for the MS internal timestamping protocol, as we want a RFC 3161 compliant time stamping server.

    /td sha256 => for SHA256 timestamping

    Hope that helps...

    Wednesday, September 24, 2014 2:57 PM
  • Hi Robert,

    I'd be curious to learn more about what exact issue you were running into.  You are correct that currently VS's timestamping is Authenticode (non RFC3161) timestamping.  However, timestamping and actual code-signing should be completely orthogonal.  Timestamping, as I'm sure you know, only comes into play once a certificate is expired -- it preserves the notion that "this application was from a known publisher when published X years ago, and so it's still valid now".  But it should have no effect when the cert itself is still valid, and there is nothing "wrong" with having a SHA256 cert + Authenticode timestamping.

    If your experience is different, I'd be happy to learn more and understand how the tooling can help your experience,

    - Michael


    Michael Zlatkovsky | Program Manager, Visual Studio

    Friday, September 26, 2014 8:01 PM
    Moderator
  • Hi Michael,

    you can try it yourself. Take a SHA256 cert and use timestamping, publishing via ClickOnce (I used an Outlook Add-In). You won't be able to install as the publisher cannot be verified.

    To get it installed, add your URL (from where you install) to the Trusted Sites in IE. This is not necessary if you do not use timestamping, or a SHA1 certificate.

    Saturday, October 4, 2014 3:13 PM
  • Thanks, Robert.  We will investigate.

    Michael Zlatkovsky | Program Manager, Visual Studio

    Thursday, October 9, 2014 7:02 PM
    Moderator
  • I am sorry you running into this issue.  I am trying to understand the steps that can reproduce the issue consistently.  I have a machine with Visual Studio 2013 + Update 4.  I created a VSTO add-in targeting .NET 4.5.2.  Use this timestamp URL (http://timestamp.globalsign.com/scripts/timstamp.dll) signed the app with a valid certificate.

    On installing the app I do not see an "Unknown publisher".  I get the expected publisher details as shown in the screenshot below:

    ClickOnce Application Install - Security Warning

    Hence my request is please could you provide the following details:

    1. Timestamp URL used in signing your app?
    2. Does this only occur when the certificate is a SHA-2 or does it happen with SHA-1 too?
    3. What version of Visual Studio and its updates are you on?
    4. What is the latest .NET framework version installed on your machine?

    I will be happy to investigate the issue further.

    Thanks,

    Ravi

    Friday, April 24, 2015 4:15 PM
  • I am sorry you running into this issue.  I am trying to understand the steps that can reproduce the issue consistently.  I have a machine with Visual Studio 2013 + Update 4.  I created a VSTO add-in targeting .NET 4.5.2.  Use this timestamp URL (http://timestamp.globalsign.com/scripts/timstamp.dll) signed the app with a valid certificate.

    On installing the app I do not see an "Unknown publisher".  I get the expected publisher details as shown in the screenshot below:

    ClickOnce Application Install - Security Warning

    Hence my request is please could you provide the following details:

    1. Timestamp URL used in signing your app?
    2. Does this only occur when the certificate is a SHA-2 or does it happen with SHA-1 too?
    3. What version of Visual Studio and its updates are you on?
    4. What is the latest .NET framework version installed on your machine?

    I will be happy to investigate the issue further.

    Thanks,

    Ravi

    I still do not see a "Unknown publisher".  I get the expected name.

    If one of you could provide details on timestamp URL, certificate type, version of Visual Studio and .NET that causes "Unknown publisher" then I can investigate further.

    Thursday, May 28, 2015 3:25 PM
  • Thank for the fix..!!
    Tuesday, July 26, 2016 11:36 AM