none
VS2012 .NET 4.0 Clickonce VSTO CryptographicException: SignatureDescription could not be created for the signature algorithm supplied RRS feed

  • Question

  • I have a VS2010 .NET 4.0 VSTO Outlook Addin project that I wish to migrate to VS2012 (but keep it in .NET 4.0). It compiles fine, and runs from inside the IDE just fine, but when I attempt to run the published ClickOnce installer, I get the following exception:

    System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file://MyPath/MyAddIn.vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.

    Based on my tests and online research (here and there), it appears that just having VS2012 installed on my machine (whether I publish from VS2010 or VS2012) forces the ClickOnce installer to require a SHA1 certificate when using .NET 4.0. My existing SHA256 certificate works perfectly fine with .NET 4.0 when compiled using VS2010 (tested without VS2012 installed). I can't easily downgrade my certificate from SHA256 to SHA1. I also can't upgrade to .NET 4.5 because this is a VSTO40 project (plus my users are still using Windows XP). The easiest option is to remain stuck in VS2010. Perhaps I can re-sign the manifest in a post-publish build event? (I already have a PostPublish build action that I can hook into.) Are there any other suggestions to allow me to move forward?

    Note: Also asked on http://stackoverflow.com/questions/16803528/vs2012-net-4-0-clickonce-vsto-cryptographicexception-signaturedescription-coul
    • Edited by Lee J Grissom Wednesday, May 29, 2013 5:08 PM Moved note to bottom
    Wednesday, May 29, 2013 5:07 PM

Answers

  • Hi Lee,

    As you have mentioned, the issue is caused because .NET Framework 4.5 runtime is using SHA-256 as the default algorithm. However SHA-1 is used by default prior to .NET Framework 4.0.

    As far as I know, there are currently only two ways to solve the problem. You should either install .NET Framework 4.5 on client machines (however it is not possible for Windows XP), or recreate the certificate using SHA-1 algorithm. If you are using test certificate generated by VS, you can go to Signing tab of your application's property page, and then re-select or re-create a certificate using SHA-1 algorithm.

    Best regards,


    Chester Hong
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, May 31, 2013 6:28 AM
    Moderator
  • Hi Chester,

    It doesn't make good sense for the .NET 4.5 framework to introduce this breaking behavior.  As I said, SHA-256 works just fine in "virgin" .NET 4.0.  Only when the "in-place" .NET 4.0 assembly update done by .NET 4.5 does the SHA-256 clickonce signing create a problem. Such a shame.  So my only two choices it seems are:  Create a separate build machine that does not have .NET 4.5 installed.  OR- create and deploy a new certificate that uses SHA-1 as the algorithm.  At any rate, thanks for the answer.

    -Lee

    Friday, May 31, 2013 7:59 PM

All replies

  • Hi Lee,

    As you have mentioned, the issue is caused because .NET Framework 4.5 runtime is using SHA-256 as the default algorithm. However SHA-1 is used by default prior to .NET Framework 4.0.

    As far as I know, there are currently only two ways to solve the problem. You should either install .NET Framework 4.5 on client machines (however it is not possible for Windows XP), or recreate the certificate using SHA-1 algorithm. If you are using test certificate generated by VS, you can go to Signing tab of your application's property page, and then re-select or re-create a certificate using SHA-1 algorithm.

    Best regards,


    Chester Hong
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, May 31, 2013 6:28 AM
    Moderator
  • Hi Chester,

    It doesn't make good sense for the .NET 4.5 framework to introduce this breaking behavior.  As I said, SHA-256 works just fine in "virgin" .NET 4.0.  Only when the "in-place" .NET 4.0 assembly update done by .NET 4.5 does the SHA-256 clickonce signing create a problem. Such a shame.  So my only two choices it seems are:  Create a separate build machine that does not have .NET 4.5 installed.  OR- create and deploy a new certificate that uses SHA-1 as the algorithm.  At any rate, thanks for the answer.

    -Lee

    Friday, May 31, 2013 7:59 PM
  • Hi Lee,

    I think Visual Studio is making the changes because SHA-1 is not recommended for the generation of digital signatures by NIST.

    http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

    Sorry for any inconvenience that may cause.

    Best regards,


    Chester Hong
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, June 3, 2013 10:06 AM
    Moderator
  • Hi Lee,

    In Visual Studio 2013 Update 3, released earlier today, the issue has been addressed.  From http://blogs.msdn.com/b/vsto/archive/2014/08/04/visual-studio-2013-update-3-released.aspx

    #2:  Better design-time support for SHA256 code-signing certificates.

    In the past, using a SHA256 code-signing certificate would require a runtime dependency on having .NET Framework 4.5 or above installed on the runtime machine.  Running the program without .NET 4.5 installed would result in an error:  “Exception reading manifest …  System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.”

    With the latest update, Visual Studio now generates a manifest in a way that can be read and run by .NET 4.0, even if the certificate happens to be SHA256.

    Hope you find this useful,

    - Michael


    Michael Zlatkovsky | Program Manager, Visual Studio

    Tuesday, August 5, 2014 2:37 AM
  • So which version of mage will support this? 

    So far all mage versions create a sha256 signature, which does not work on a virgin Windows 7 PC.  

    Is there a new sdk I can install on the build server?  I do not use VS 2013 to build on the server.  we use mage to generate manifests for click once.

    Thursday, September 24, 2015 9:29 PM
  • I was in the same situation as you are and found out that even the latest version of Mage does not have the fix that they implemented in VS2013.3. However, you can call the code that VS2013.3 uses here:  https://msdn.microsoft.com/en-us/library/dn771584(v=vs.121).aspx

    Hope that helps.

    Friday, September 25, 2015 2:57 PM
  • Yes. I found the location of the msbuild12 task dll where Microsoft added support for such backwards compatible signing. Created a standalone executable to reference their static methods. So now I have my custom signing utility. Using Mage to create manifests and this custom utility to sign. Works well. Thank you for your help.
    Saturday, September 26, 2015 2:10 PM