none
Untrusted Publisher error with VSTO Add-In RRS feed

  • Question

  • This is a continuation of the issue described at here. 

    I am attempting to deploy an Excel VSTO Add-In that is signed using a SHA-256 certificate attached to a physical card. I work in an enterprise environment that locks down Excel pretty tightly, and I am unable to get my Add-In to install correctly. After installing the Add-In, I receive the following error when opening Excel:

    --------------------------------------------------------

    The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list.

    ************** Exception Text **************

    System.Security.SecurityException: The solution cannot be installed because it is signed by a publisher whom you have not yet chosen to trust. If you trust the publisher, add the certificate to the Trusted Publisher list.
        at
    Microsoft.VisualStudio.Tools.Office.Runtime.OfficeAddInDeploymentManager.VerifyAddInTrust(ClickOnceAddInTrustEvidence evidence)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
       at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

    The Zone of the assembly that failed was:
    MyComputer

    --------------------------------------------------------

    I'm running/targeting the following configuration:
    -- Visual Studio Enterprise 2015, Update 3 (14.0.25431.01)
    -- Microsoft Office Developer Tools for Visual Studio 2015 14.0.23025
    -- Target .NET framework: 4.6.1
    -- VSTO Runtime 2010 (10.0.60825)
    -- Microsoft Office Professional Plus 2013 (15.0.4569.1506)

    I have tried signing the application with my enterprise code-signing card as well as a test certificate generated by Visual Studio. I have added the certificates to both the Trusted Root Certification Authorities store and the Trusted Publishers store using certmgr. In the Excel Trust Center, the certificates appear in the Trusted Publishers list.

    Any ideas on why the code signature is not working? Are there other possible settings (perhaps Group Policy settings?) that may be blocking the successful loading of the add-in?

    Friday, November 17, 2017 2:01 PM

All replies

  • Hello,

    In my opinion, if you have installed the certificate into Trusted Root Certification Authorities store and the Trusted Publishers store, permission grants and the add-in would be loaded.

    Do you try to sign the add-in with other certificates which have been installed in Trusted Root Certification Authorities store?

    I suggest you go to Excel Options -> Trust Center -> Trusted Publishers, select your certificate and view its detail. Select Certification Path and check Certificate status. Is it "This certificate is OK"?

    You could also open registry editor, go to Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0 to see if there are any group policy settings.

    Regards,

    Celeste


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, November 20, 2017 6:58 AM
    Moderator
  • Celeste,

    I created a self-signed certificate using the New-SelfSignedCertificate command in PowerShell, added it to the Trusted Root Certification Authorities and Trusted Publisher stores, and signed my add-in using it. The add-in then loaded correctly. I'm not sure why this would work for a self-signed certificate and not the certificate of my key card. The status of my key card certificate is OK. Comparing the properties of my self-signed certificate and my key card certificate, the properties are nearly identical:

    Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)
    Key Usage: Digital Signature (80)
    Public key: RSA (2048 Bits)
    Public key parameters: 05 00
    Signature algorithm: sha256RSA
    Signature hash algorithm: sha256
    Thumbprint algorithm: sha1
    Version: V3

    My self-signed certificate notes that it is intended for "All issuance policies"; this language is not included on my key card certificate. Additionally, my key card certificate has data for the following properties, which are absent from the self-signed certificate:

    Authority Information Access
    Authority Key Identifier
    Certificate Policies
    CRL Distribution Points
    Subject Alternative Name
    Subject Key Identifier

    Another difference is that the self-signed certificate is trusted directly; the key card certificate has an intermediate certificate before getting to a trusted root certificate authority. This seems to be the case even if I add the key card certificate directly to the root certificate stores.

    I didn't see any group policies that would have an obvious impact on this issue.

    Thanks for all your help.


    • Edited by leprendun Tuesday, November 21, 2017 1:14 PM additional information
    Tuesday, November 21, 2017 1:11 PM
  • Hello,

    It seems your certificate could not be recognized as trusted. How do you create the certificate?

    In your original post, you said you get the same error when you sign the add-in using a test certificate created by VS. I suggest you create a new cert and test again. The test certificate is intended for all issuance policies and all application policies. I think it would work if you import the test certificate into trusted root and trusted publisher store.

    Regards,

    Celeste


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, November 22, 2017 9:46 AM
    Moderator
  • Celeste,

    Apologies for the delayed response, I've been on another project.

    Since my original post, I've created a test certificate using the PowerShell New-SelfSignedCertificate commandlet in order to match my hardware-based certificate as closely as possible. The certificate created through this process works correctly.

    The code-signing certificate provided by my workplace is stored on a physical ID card. I have no control over how these certificates are created, although if I can identify in what manner they are failing I can raise the issue with management.

    Monday, December 4, 2017 2:23 PM
  • You may confirm IT or certificate provider about the issue.  If you have any new issues about VSTO projects or Office Object Model, please feel free to post on this forum.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 5, 2017 2:55 AM
    Moderator
  • Celeste,

    I created a self-signed certificate using the New-SelfSignedCertificate command in PowerShell, added it to the Trusted Root Certification Authorities and Trusted Publisher stores, and signed my add-in using it. The add-in then loaded correctly. I'm not sure why this would work for a self-signed certificate and not the certificate of my key card. The status of my key card certificate is OK. Comparing the properties of my self-signed certificate and my key card certificate, the properties are nearly identical:

    Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)
    Key Usage: Digital Signature (80)
    Public key: RSA (2048 Bits)
    Public key parameters: 05 00
    Signature algorithm: sha256RSA
    Signature hash algorithm: sha256
    Thumbprint algorithm: sha1
    Version: V3

    My self-signed certificate notes that it is intended for "All issuance policies"; this language is not included on my key card certificate. Additionally, my key card certificate has data for the following properties, which are absent from the self-signed certificate:

    Authority Information Access
    Authority Key Identifier
    Certificate Policies
    CRL Distribution Points
    Subject Alternative Name
    Subject Key Identifier

    Another difference is that the self-signed certificate is trusted directly; the key card certificate has an intermediate certificate before getting to a trusted root certificate authority. This seems to be the case even if I add the key card certificate directly to the root certificate stores.

    I didn't see any group policies that would have an obvious impact on this issue.

    Thanks for all your help.


    leprendun,
    Same issue here.
    Test certificates working fine, however original Digecrt EV certificate is not.
    Whether the issue got solved? If so please help by posting the solution.
    Thanks in advance.

    Regards
    Ras
    Tuesday, July 7, 2020 4:53 PM