Friday, October 16, 2009

ClickOnce manifest signing

Introducing Certification

When you get a Software Publisher Certificate (SPC) from a third party CA (say verisign)that is authorized by Microsoft to issue certificate, you actually get two files: a pvk and spc or cer file.

.pvk file which contains the private key information.

.spc or .cer file contains public key information.

In my discussion later I’ll consider having pvk and spc file for signing clickonce application.

To use this certificate you need to generate a Personal Information Exchange file (pfx). You can generate a pfx file from pvk and spc. For details information on how to generate pfx file follow here.


Visual Studio Support for Clickonce Manifest signing

Now I’ll consider that you have pfx file and you are ready to sign the clickonce manifest. To sign the clickonce manifest open the properties window of the project and then select signing tab. Then select the “Sign the ClickOnce maifests” check box and you’ll be prompted for selecting the pfx file. Open the pfx file and you’ll be prompted for password. After putting your password set the timestamp server url to The following figure shows the process in a whole.


Figure: Sign clickonce manifests.


Separate Signing from Developement

You are done! But this is not not I”m writing this post. The problem is in this process that if you have automated build management system (say using NAnt) then during build you’ll be prompted for password and you don’t want this. You actually want to separate the signing from development. You only need to bother about signing when you deploy on production server. if put directly select pfx file from Visual Studio then every developers will be prompted for the password during build (at least once, then VS will cache it). So you need some way to sign the Clickonce manifest, say in post build event. But Publish doesn’t have any event. So you can’t write post build event in Visual Studio project. So one way is to write batch script and run the script after production deployment build.

ClickOnce Manifest Internals

But before diving deep into the signing procedure let’s discuss about how actually ClickOnce manifest works. If you publish your clickonce app in E:\Clickonce folder then the root folder will contains a file named YOURAPPNAME.applicaiton. Then there will be a folder “Application Files\YOURAPPNAME_VERSION” and there’ll be sever files.


Figure: ClickOnce deployment folder structure.

Clickone has two types of manifests: application manifest and deployment manifest. Deployment manifest has one of the three extensions:

1) .applicaiton for executable applicaiton

2) .vsto for office applicaiton

3) .xbap for browser hosted wpf applicaiton

Application manifest has only one extension and that is .manifest.


Now if you want to manually sign clickonce manifest then you need to sign both application and deployment manifests. Clickonce manifests contains hashes of all/related files. The following figure shows how application and deployment manifest share hash value.


Figure: Application and Deployment manifest hash value calculation.

Sign application and deployment manifests

So if you sign clickonce manifest then you need to sign the application manifest first as deployment manifest depends on application manifest file. So lets’ start with then signing process:

1. Signthe application manifest:

If your application manifest has a .manifest extension and you’ll get the application manifest file in “Applicaiton Files\Application_VERSION” folder. The following command sign a manifest file with pfx.

mage -update MyApplicaiton.exe.manifest -certfile pfxfile.pfx -Password pfxfilepassword

The mage command will be available if you have .net SDK installed.

2. Sign the deployment manifest:

mage -update MyAppName.application -appmanifest MYAppName.exe.manifest -certfile pfxfile.pfx -Password pfxFilePassword

So you are done. But there few points to remember. If your application’s dlls are renamed with deploy then you need to remove this option either the sign will not work. You can remove the .deploy option from visual studio property window > Publish Tab > Options.


Figure: Remove .deploy extension from Visual Studio.

Now you can write a batch file which you can run after build and the batch file will sign the clickonce manifests and your manifest signing is totally different from your development.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.