none
Do I really need to sign my VSTO Add-in Click Once Manifests? RRS feed

  • Question

  • When I worked on our Excel Add-in project, I remember getting some compiler error or warning in VS 2012 (I don't remember the exact wording or why it manifested) but it was something along the lines of the Click Once Manifests needed to be signed. At the time I went through the steps of self-signing the Add-in's .dll using a PFK file I generated via VS and then installed on our local Dev machines and the build machine. Further into the project an Installer was eventually created for the Add-In using WiX. Recently the certificate is saying it's expired. Before we go through the steps of updating the certificate, can someone explain to me if we even need to sign the manifests at all if we're using a custom installer? 


    Wednesday, January 7, 2015 8:46 PM

Answers

All replies

  • Hello jasonlbeal,

    In my experience it has been totally worth signing the add-in dll(s) and the msi in my builds.
    Anytime I've had a Click Once fail or an Add-in not load it's always because it needed to be signed.

    Sometimes it bites me right away and sometimes it's down the line when IT decides to enforce a GPO requiring all add-in's to be trusted.

    Not really an explanation of WHY but just sharing my input saying in my travels it's completely worth the headache to maintain a signing cert.

    I hope that helps sir.


    Thank you, <br/> <br/> Nick Metnik <br/> <br/> Please mark my response as helpful if it has helped you in any way or as the answer if it is a valid solution.<br/> <a href="http://nickmetnik.wordpress.com/">Blog</a><br/> <a href="https://www.linkedin.com/in/nickmetnik">LinkedIn</a> <br/><br/>Some of the best connections I made in the past were SQL connections.<br/> - ME

    Wednesday, January 7, 2015 9:42 PM
  • Thanks for your reply Nick.

    The problem is, we're not using ClickOnce deployment at all. We're using a custom built WiX installer. But VS forces the "Sign the ClickOnce manifests" option to be checked under "Signing" in the project properties page. If you uncheck it (and even go so far as to completely remove the setting and its associated settings directly from the .csproj file), the next time you build the project it auto-checks it. I don't really understand this setting at all or why it's needed but it doesn't give you an option to not use it. I guess that's what I'm looking to find out. 

    Thursday, January 8, 2015 12:23 PM
  • You can use a test certificate temporarily.

    Take a look at the Deploying an Office Solution by Using ClickOnce article which states the following:

    Before a solution can run on user computers, either you must grant trust or users must respond to a trust prompt when they install the solution. To grant trust to the solution, sign the manifests by using a certificate that identifies a known and trusted publisher. See Trusting the Solution by Signing the Application and Deployment Manifests.

    Thursday, January 8, 2015 2:05 PM
  • I see Jason.  That's really interesting that it auto checks.  I don't have a good answer to that.
    Speaking from experience I'd still sign the dlls and the msi though if you can.  My add-ins do not use ClickOnce either but I'm always using a valid cert so I guess this just never came up for me.  Sorry I wasn't much help and good luck sir.

    Thank you, <br/> <br/> Nick Metnik <br/> <br/> Please mark my response as helpful if it has helped you in any way or as the answer if it is a valid solution.<br/> <a href="http://nickmetnik.wordpress.com/">Blog</a><br/> <a href="https://www.linkedin.com/in/nickmetnik">LinkedIn</a> <br/><br/>Some of the best connections I made in the past were SQL connections.<br/> - ME

    Thursday, January 8, 2015 4:07 PM
  • Hi Jason

    I was just wondering if you ever resolved this issue as we have the same... need to apply a certificate for the ClickOnce deployment (which we will not be using) but the build server will later be signing the assemblies with an EV certificate.

    Cheers

    Craig.

    Tuesday, October 30, 2018 11:11 AM
  • Hey Craig, I recall there was no easy solution. We bit the bullet and signed the click-once manifests.  
    Tuesday, October 30, 2018 12:57 PM