Code Signing Reading Time: 4 minutes

How to sign ClickOnce manifests with Visual Studio

When a program, script, or macro is downloaded, a popup window asking, “Are you sure you want to run this?” will appear during installation or execution. or “Do you want to let the next program affect this computer?” Code signing is being used in this popup. Code signing tools are crucial because they distinguish between legitimate software and malicious or rogue code.

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed.

 Your projects developed in Visual Studio with Visual Basics and Visual C# can be published and updated using ClickOnce. ClickOnce is a Microsoft technology used to deploy and update Windows desktop applications over the internet. It allows developers to publish their applications on a web server or network file share and make them available to users via a single click without any complex installation or configuration process.

While you publish your project using ClickOnce, you can sign ClickOnce manifests using a certificate. This will help prove the legitimacy of your application, and this process is called Code signing. Codesigning with ClickOnce provides several security features to ensure that the application and its updates are downloaded from a trusted source and that users are protected against potential security threats. It adds an extra layer of security to your application and can help increase user trust.

When you publish your project using ClickOnce without codesigning, such application when run by the user, a dialogue box is often prompted with a security warning.

ClickOnce without codesigning

But no such warnings are prompted when you Sign ClickOnce manifests with a code signing certificate.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

This solution provides a tool and certificate for signing ClickOnce manifests. You will have to install and configure the tool and follow the steps below to proceed.

  1. Install and Configure the tool (SigningKSP)
  2. From the command prompt, reach the directory where ECGetCert.exe is located.

    evcodesigning
  3. Run the command: ECGetCert.exe evcodesigning Here, evcodesigning is the certificate name that we are using for the codesigning purpose.

    This command will save evcodesigning.pem (certificatename.pem) file in the same directory

    Configure the tool (SigningKSP)
  4. Open certmgr.msc and navigate to Personal -> certificates. If there is no certificate folder, right-click on personal -> All Tasks -> Import

    cert certificates
  5. A Certificate import wizard Opens. Click on next; the store location here is, by default, the current user.

    Certificate import wizard
  6. On the next page, browse for the certificate. It should be saved in the same directory where EGGetCert. Exe is located. From there, select evcodesigning.pem (certificatename.pem). If you can’t see the file select all files at the bottom instead of X.509 certificate. Once the certificate is selected, click next.

    EGGetCert
    X.509 certificate
  7. On the other page, ensure that “Place all the certificates in the following store” is selected. Under that, the Certificate store is set to Personal. Click on next and then Click on Finish. You’ll see a dialogue box saying the import was successful.

    Certificate store
    certificate import
  8. Once the certificate import is done, you need the thumbprint value of your certificate. Click on Personal -> Certificates -> and then the imported certificate. Navigate to “Details” and scroll down to thumbprint. You can copy the value.

    certificate details

    Return to the command prompt. Run the following command. Ensure that you place the Thumbprint of your certificate in your command.

    certutil -f -repairstore -csp “Encryption Consulting Key Storage Provider” -user “My” 79656a9ce126fd0d1bb33f4dc73dba308f58b3ac

    Key Storage Provider
    ClickOnce Publish
  9. Once the command runs, navigate to the project in Visual Studio that you want to publish with ClickOnce.

  10. In the Solution Explorer, Right Click on your project and navigate to Publish. Click on it.

    ClickOnce publish
  11. A new dialogue box opens. Select ClickOnce and click on Next.

    ClickOnce Publish today
  12. On the next page, choose a publish location or leave the default bin\publish and click Next.

    leave the default bin
  13. You can choose the Install Location as per your choice or leave the default. Click on Next.

    Install Location
  14. Select your settings in the next tab as you like and click Next

    VS settings
  15. In Sign manifests, check the box “Sign the ClickOnce manifests” and click on select a certificate from the store.

    Sign the ClickOnce manifests

    A dialogue box opens with a certificate, which was initially imported. Click OK to proceed.

    open a certificate

    You can now see the certificate details in Sign manifests

    certificate details
  16. Click on next to choose your configuration and click on Finish.

  17. You’ll see Publish profile creation progress and a green tick when successful

    Publish profile creation
  18. You can see the Publish Profile created.

    ClickOnce manifests with Visual Studio

We have successfully signed ClickOnce manifests with Visual Studio. Click on Publish to publish your project.

Conclusion

With its digital signature and other security features, Signing ClickOnce manifests enables developers to establish the level of trust users should have in an application. This can decrease the probability that harmful software will be executed on a user’s machine. With the rapid increase in viruses and malware on applications online, it’s necessary to take such measures to prevent any damage. It’s always better to be safe than sorry.

To summarize, incorporating code signing into software security is crucial to safeguard it against malware attacks and tampering. Encryption Consulting’s Code Sign Secure offers various advantages, including seamless integration with development workflows, robust authentication and encryption, and customizable pricing options. To learn more about how you could use Code Sign Secure visit: www.encryptionconsulting.com/code-signing-solution/ or contact us at: [email protected]

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Surabhi Dahal's profile picture

Surabhi is consultant at Encryption consulting, working with Code Signing and development. She leverages her adept knowledge of HSMs and PKIs to implement robust security measures within software applications. Her understanding of cryptographic protocols and key management practices enables her to architect secure code signing solutions tailored to meet the requirements of enterprise environments. Her interests include exploring the realm of cybersecurity through the lens of digital forensics. She enjoys learning about threat intelligence, understanding how adversaries operate, and comprehend strategies to defend against potential attacks.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo