none
Signing a VSTO 2010 Excel Add-in, targeting .NET Framework 4.0, using a SHA-2 certificate RRS feed

  • Question

  • Hi,

    I have a VSTO 2010 Excel add-in, targeting .Net Framework 4.0, Visual Studio 2010. 

    We were using a SHA-1 certificate for the past few years for signing the manifest and the assemblies. The application has been deployed for a lot of end-users. Now with the SHA-1 deprecation policy coming into effect from January 2016, the renewed certificate that has been issued by the CA is keyed using SHA-256. 


    In Visual Studio 2010, when I update the certificate and try to rebuild the project, contents of the generated .VSTO file looks like this:

    <assemblyIdentity name="ExcelAddIn1.vsto" version="1.0.0.1" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />
      <description asmv2:publisher="My Company" asmv2:product="ExcelAddIn1" xmlns="urn:schemas-microsoft-com:asm.v1" />
      <deployment install="false" />
      <compatibleFrameworks xmlns="urn:schemas-microsoft-com:clickonce.v2">
        <framework targetVersion="4.0" profile="Client" supportedRuntime="4.0.30319" />
        <framework targetVersion="4.0" profile="Full" supportedRuntime="4.0.30319" />
      </compatibleFrameworks>
      <dependency>
        <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="18274">
          <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.1" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
          <hash>
            <dsig:Transforms>
              <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
            </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
          </hash>
        </dependentAssembly>
      </dependency>
    <publisherIdentity name="CN=, OU=, O=My Company, L=, S=, C=" issuerKeyHash="ISSUER HASH" /><Signature Id="StrongNameSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" /><DigestValue>DIGEST VALUE</DigestValue>

    Note that the DigestMethod for dependentAssembly is SHA1, where as the DigestMethod for publisherIdentity is SHA256. ExcelAddin1.dll.manifest also follows this pattern.


    On rebuilding the project in Visual Studio 2015, still targeting .NET framework 4.0, SHA1 is used as the DigestMethod everywhere in the .VSTO and .MANIFEST files.

    On updating the project to target .Net Framework 4.5.2 and building it, SHA256 is used throughout these files.

    I am able to work with both these build on a machine having Windows 7 SP1, Excel 2010 SP1, .Net Framework 4.5.2 and VSTO 4 Runtime 10.0.60724

    Q1. How does the SHA-1 deprecation policy affect VSTO add-ins?

    Q2. Can I continue to use SHA-1 certificates for VSTO add-ins even after January 2016?

    Q3. Do I have to upgrade the .Net Framework version to be fully compliant about SHA-2 signing?

    Q4. What should be the timestamp URL while using SHA-2 certificates? mage.exe shipped with SDK for .NET 4.0 does not have an option to specify the DigestAlgorithm and , however mage.exe that come along SDK for .Net Framework 4.5.2 does have this option -Algorithm <sha256RSA|sha1RSA>    -a.

    Thank you.


    Regards,
    CS

    Monday, December 21, 2015 2:44 PM

All replies

  • >>>Q1. How does the SHA-1 deprecation policy affect VSTO add-ins?

    Q2. Can I continue to use SHA-1 certificates for VSTO add-ins even after January 2016?<<<

    Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value

    greater than January 1, 2016. This restriction will not apply to the timestamp certificate or the certificate’s signature hash until January 1, 2017, after which time, Windows will treat any SHA-1

    timestamp or signature hash as if the code did not have a timestamp signature.

    For more information, click here to refer about Windows Enforcement of Authenticode Code Signing and Timestamping

    >>>Q3. Do I have to upgrade the .Net Framework version to be fully compliant about SHA-2 signing?

    Q4. What should be the timestamp URL while using SHA-2 certificates? mage.exe shipped with SDK for .NET 4.0 does not have an option to specify the DigestAlgorithm and , however mage.exe that come

    along SDK for .Net Framework 4.5.2 does have this option -Algorithm <sha256RSA|sha1RSA><<<

    You can use SHA 256 code-signing certificates even for applications that target the .NET Framework 4.0 or an earlier version. Before this update, the .NET Framework 4.5 had to be present on the

    client computer when a SHA 256 code-signing certificate was used for desktop applications published with ClickOnce or Visual Studio Tools for Office add-ins. If you have used SHA 256 code-signing

    certificates in the past, and have seen errors such as "The application is improperly formatted," "The manifest may not be valid," "Manifest XML signature is not valid," or "SignatureDescription

    could not be created for the signature algorithm supplied," this update resolves the problem for re-published and newly-published applications.

    For more information, click here to refer about Description of Visual Studio 2013 Update 3

    Tuesday, December 22, 2015 7:25 AM
  • Hello David,

    I had went through the Visual Studio 2013 update that you mentioned and the related announcements on the VSTO blog. I built a sample project in VS 2010, VS 2013 SP4 & VS 2015 for trying out the SHA-2 certificate. 

    On these versions of Visual Studio, when I build the project, targeting .Net Framework 4.0 and use a SHA-2 certificate, the tags in the .VSTO & .MANIFEST file are for SHA-1 only, not SHA-2. I believe, this is the fix that enables the projects to works on a machine where .Net Framework 4.5 is not installed.

    Please have a look at the files generated by building a Excel 2010 VSTO Add-in, using various versions of Visual Studio:

    NOTE: The certificate used for all the following cases is keyed using SHA-2 algorithm.

    .VSTO generated by VS 2010 SP1, Target Framework 4.0:

    The DigestMethod Algorithm mentioned for the dependentAssembly's hash is SHA1, even when SHA2 certificate was used. 

    <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="18274">
          <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.1" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
          <hash>
            <dsig:Transforms>
              <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
            </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
          </hash>
        </dependentAssembly>
    Under publisherIdentity tag, the SignatureMethod and the DigestMethod used is SHA256, which is according to the certificate's algorithm.
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

    .VSTO generated by VS 2013 SP4 and VS 2015, Target Framework 4.0:

    Please note the algorithm mentioned in <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> tag is SHA1. Which is same as what gets generated by VS 2010.

    <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058">
          <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
          <hash>
            <dsig:Transforms>
              <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
            </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
          </hash>
        </dependentAssembly>

    Similarly, under publisherIdentity tag, SignatureMethod and DigestMethod are still using SHA1. VS 2010 and VS 2013 SP1 are having SHA-2 here. 

    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    Will this work/be supported even after January 2016/17?

    .VSTO generated by VS 2013 SP4 and VS 2015, Target Framework 4.5.2:

    Please note the algorithm mentioned in <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" /> tag is SHA2.

    <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058">
          <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
          <hash>
            <dsig:Transforms>
              <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
            </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" />
            <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
          </hash>
        </dependentAssembly>

    SignatureMethod and DigestMethod are now indicating SHA2 algorithm.

    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha2" />
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" />

    It seems that the update in VS 2013 SP3 (also available in VS 2015) is using/enforcing the algorithm as per the .Net Framework being targeted. 

    For .Net Framework 4.0, the DigestMethod and SigntureMethod are always SHA1, irrespective of the certificate used. Now the add-in works on machine having only .Net 4.0 as the VSTO/clickonce loader does not have to deal with SHA2 at all.


    So, considering that SHA-2 certificates have to be used starting January 2016, what should be the configuration used for signing the add-in with SHA-2 certificate?

    1. VS 2010, .Net Framework 4.0 and SHA-2 certificate (Does not work without .Net Framework 4.5 or newer installed on the machine)

    2. VS 2015, .Net Framework 4.0 and SHA-2 certificate (This is no different from using SHA-1 certificates. The VSTO files have only SHA-1 entries, not sure whether this will work after January 2016)

    3. VS 2015, .Net Framework 4.5.2 and SHA-2 certificate (Not suitable for me. I need to keep the target framework as 4.0)

    I am installing the Excel add-ins on machines offline. They are always loaded from the file system.

    [HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\ExcelAddin1]
    "Description"="ExcelAddin1 - COM add-in created with Visual Studio Tools for Office"
    "FriendlyName"="ExcelAddin1"
    "Manifest"="file:///C:/published/Addins/ExcelAddin1.vsto|vstolocal"
    "LoadBehavior"=dword:00000003

    Thank you.


    Regards,
    CS

    Wednesday, December 23, 2015 12:53 PM
  • >>>So, considering that SHA-2 certificates have to be used starting January 2016, what should be the configuration used for signing the add-in with SHA-2 certificate?

    Apps published with ClickOnce that use a SHA-256 code-signing certificate.
    The executable is signed with SHA256. Previously, it was signed with SHA1 regardless of whether the code-signing certificate was SHA-1 or SHA-256. This applies to:
    •All applications built with Visual Studio 2012 or later.
    •Applications built with Visual Studio 2010 or earlier on systems with the .NET Framework 4.5 present.
    In addition, if the .NET Framework 4.5 or later is present, the ClickOnce manifest is also signed with SHA-256 for SHA-256 certificates regardless of the .NET Framework version against which it was compiled.

    Apps published with ClickOnce that use a SHA-256 code-signing certificate.
    ClickOnce apps that target the .NET Framework 4 or earlier versions and are signed with an SHA-256 certificate no longer have a runtime dependency on the .NET Framework 4.5 or a later version.

    For more information, click here to refer about Application Compatibility in the .NET Framework 4.5
    and here to refer about Runtime Changes in the .NET Framework 4.6

    • Marked as answer by David_JunFeng Tuesday, January 5, 2016 1:39 AM
    • Unmarked as answer by C_S Tuesday, January 5, 2016 10:52 AM
    Friday, December 25, 2015 7:55 AM
  • Hello David,

    I had been through the links you have posted but they do not answer my question.

    If I sign a .Net 4.0 VSTO add-in with SHA256 certificate, the output files still use SHA1 everywhere. I had provided the excerpts from the .VSTO and .MANIFEST files in my previous post. Is this expected/desired and future proof considering SHA1 deprecation?

    I have uploaded a sample ExcelAddIn project which does not have any special implementation. On setting the target framework version as 4.0 the .vsto and .manifest files produced by the build are using SHA1 algorithm throughout.

    Just change the target framework version to 4.5 and rebuild the project. Now the .vsto and .manifest files use SHA256 throughout.

    The Debug folder generated for both the framework versions are also present in the uploaded ExcelAddIn1.zip file for your reference.

    The project gets built using .Net framework 4.0 and SHA256 certificate, but the files generated on building are still using SHA1. This is the concern.

    This behavior is also observed while creating Strong Name Key in VS 2015.

    Here are two screenshot of the dialog box:

    1. Trying to create a key with target .Net Framework 4.0. Note that the signature algorithm combo box is fixed to SHA1. SHA256 is not allowed here.

    2. Trying to create a key with target .Net Framework 4.5. Here we have an option to use SHA1 or SHA256.

    VS 2015, Create Strong Name Key allows SHA256 when targeting .Net Framework 4.5

    As an alternative I tried to sign VSTO project using SHA256 certificate from command line using mage.exe

    1. Build the sample project with framework 4.0 

    2. Update and sign the .manifest & .vsto using SHA256 certificate through mage.exe from the .Net Framework 4.6 SDK. 

    cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\"
    
    mage -update "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\ExcelAddIn1.dll.manifest" -fd "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\" -a sha256RSA -cf "C:\Certificate\SHA2_Cert.pfx" -pwd "******" -ti "http://timestamp.verisign.com/scripts/timstamp.dll"
    
    mage -sign "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\ExcelAddIn1.dll.manifest" -a sha256RSA -cf "C:\Certificate\SHA2_Cert.pfx" -pwd "******" -ti "http://timestamp.verisign.com/scripts/timstamp.dll"
    
    mage -update "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\ExcelAddIn1.vsto" -appmanifest "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\ExcelAddIn1.dll.manifest" -a sha256RSA -cf "C:\Certificate\SHA2_Cert.pfx" -pwd "******" -ti "http://timestamp.verisign.com/scripts/timstamp.dll"
    
    mage -sign "C:\Projects\ExcelAddIn1\ExcelAddIn1\bin\Debug\ExcelAddIn1.vsto" -a sha256RSA -cf "C:\Certificate\SHA2_Cert.pfx" -pwd "******" -ti "http://timestamp.verisign.com/scripts/timstamp.dll"
    After this, the ExcelAddIn1.vsto and ExcelAddIn1.manifest.dll are have SHA256 everywhere, which is as desired. Now this add-in does not load on any machine where .Net Framework 4.5 or newer is not installed. The VSTO runtime installed on all the machines is the latest version available - 10.0.60724

    On trying to loading the add-in (with SHA-2 via mage) on machines with only .Net Framework 4.0 installed, I get an exception saying the following:

    System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file://C:/published/ExcelAddIn1/ExcelAddIn1.vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.

    The same add-in works well on machines having .Net Framework 4.5 or newer.

    So far it seems that in order to have a SHA256 keyed VSTO application, I need to upgrade to .Net Framework 4.5 or newer.


    Regards,
    CS


    • Edited by C_S Tuesday, January 5, 2016 10:54 AM
    Tuesday, January 5, 2016 10:52 AM