11

I'm trying to sign my clickonce app. I have an EV code signing certificate that is using SHA256. The problem is that when I sign my app using the post build commands, it seems to be using SHA1 instead of SHA256. Here is a clip of the output window:

Running Code Analysis...
1>  Code Analysis Complete -- 0 error(s), 0 warning(s)
1>  The following certificate was selected:
1>      Issued to: Certificate Subject Name Here
1>  
1>      Issued by: DigiCert EV Code Signing CA (SHA2)
1>  
1>      Expires:   Thu Apr 14 06:00:00 2016
1>  
1>      SHA1 hash: HASH-HERE
1>  
1>  
1>  Done Adding Additional Store
1>  Successfully signed and timestamped: C:\Users\AnyBody\Documents\Visual Studio 2013\Projects\My Project\Project Folder\obj\x86\My Configuration\MyProgram.exe
1>  
1>  
1>  Number of files successfully Signed: 1
1>  
1>  Number of warnings: 0
1>  
1>  Number of errors: 0

Here is the post build command I am using:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /fd SHA256 /t "http://timestamp.digicert.com" /n "Certificate Subject Name Here" /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

I can see that MyProgram.exe.deploy has the digital signature attached when I look at the file's properties.

There are no errors returned when i run signtool /verify

When I try to launch the app, I get the error "Application validation did not succeed. Unable to continue".

In the details of the error message, there is this line:

+ File, MyProgram.exe, has a different computed hash than specified in manifest.

When I open and look at the manifest, the hash for MyProgram.exe is specified as SHA256

What could be the problem? What is making signtool refuse to use SHA256? From what I've read, it should be using SHA256 by default.

I have unistalled/reinstalled visual studio, windows sdk, all installed .net libraries to no avail.

I'm really hoping someone has some idea...

jwitt98
  • 1,194
  • 1
  • 16
  • 30

1 Answers1

7

Are you having this issue with a WPF application? If so signing the executable in the AfterCompile target should resolve your problem. That worked for me.

More discussion on this can be found here:

Apparently when Phil signs his executable using PostBuild or BeforePublish commands, when the user installs it, he gets the dreaded “exe has a different computed hash than specified in the manifest” error. He found that using AfterCompile instead fixed the problem.

http://robindotnet.wordpress.com/2013/04/14/windows-8-and-clickonce-the-definitive-answer-revisited/

user1592890
  • 101
  • 1
  • 1
    This is correct... part of the problem was that the executable was getting signed after the manifests were being generated which was causing the executable to have a different hash than specified in the manifest. This can also be solved by using the mage tool to update the manifests after publishing. The other thing causing confusion was the reference to the SHA1 hash. It turns out that the SHA1 was a reference to the thumbprint of the certificate and not an indication that the application was being signed using SHA1 – jwitt98 Mar 05 '14 at 03:26
  • 3
    For the benefit of other users if you want to use SHA256 certificates for code signing and manifest signing you need to use at least the .NET Framework 4.5 versions of the [SignTool.exe (Sign Tool)](http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.110%29.aspx) and [Mage.exe (Manifest Generation and Editing Tool)](http://msdn.microsoft.com/en-us/library/acz3y3te%28v=vs.110%29.aspx) programs. It appears previous versions only support SHA1. – AlwaysLearning Sep 11 '14 at 02:09