Updating a Digital Certificate - Add-in Express .NET forum

Ken Puls

Posts: 34
Joined: 2014-12-17

Hi team,

I've recently gone through the process of updating my digital certificate. After months of waiting for OV validation to show up in the form, I'm coming to the conclusion that something isn't working properly in my signing, and am looking to figure out what (if anything) I've missed here.

Short back story is that I purchased a Code Signing certificate from Comodo (which is issued by Sectigo). When we applied it to our original ClickOnce installer, everything worked nicely, as shown in the first image shown here: https://www.add-in-express.com/creating-addins-blog/2015/03/17/windows-office-security-guide-developers/

Of course, that cert expired, so we got a new one from the same place. But now, after installing it, I'm getting the second image from that article (Publisher cannot be verified) , which is indicating to me that it hasn't been successfully applied.

So here's what I have done:
-I have configured the Signing Options to use the new certificate to "Sign project output, loaded and manifest". I selected the certificate from File, and left it with the SHA-1 and SHA-256 configs checked. I then chose the pfx file and entered the password to apply it.
-I then went to Publish, repopulated the files, and selected the new certificate "From File" here. Once again applied the password and left SHA-1 and SHA-256 selected. I then chose to Publish.

Is there something else that I should have done? I cannot figure out why I'm getting the security warning here.

I do see the following file as part of my project (in the root folder of my project), which does not appear to have been updated since 2021:
-<myproject>.snk

So far as I can tell though, this file has never been included in the Publish folder content at all. Does this file need an update, or is the original version to be expected here?

Any help would be really appreciated, as I'd really like to get rid of this annoyance and update my documentation to get this right in future.

Thanks!

Ken Puls, FCPA, FCMA, MS MVP

Ken Puls

Posts: 34
Joined: 2014-12-17

I've done some more digging (still coming up short here). According to the Visual Studio 2022 documentation there are also signing options available in the properties of my application.

I've gone to Project -> <my add-in> Properties -> Signing

In that area the ability to sign the Click Once manifests is greyed out (I assume because Add-in Express takes control of this?), but "Sign the Assembly" is checked and pointing to my snk file. Does that need to be updated and/or should it be pointing to my pfx instead?

Ken Puls, FCPA, FCMA, MS MVP

Andrei Smolin

Add-in Express team

Posts: 18830
Joined: 2006-05-11

Hello Ken,

I'm sorry for the delay; I need to have an expert to look at this.

.SNK - this is about signing your assembly with a so-called strong name; see https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named.

.PFX is one of the file extensions used for digital certificates.

Using a strong name guarantees that the specified assembly will be loaded, not another version of it, with another language, etc. Using a digital certificate guarantees that the signed assembly comes from you, not from a hacker or other.

Ken Puls writes:
In that area the ability to sign the Click Once manifests is greyed out

That's because ClickOnce doesn't let you deploy a DLL; it only deploys .EXE files.

Regards from Poland (GMT+1),

Andrei Smolin
Add-in Express Team Leader

Ken Puls

Posts: 34
Joined: 2014-12-17

Thanks Andrei, I am looking forward to hearing what the expert has to say. I also appreciate the clarification on the snk, pdf and greyed out options.

Ken Puls, FCPA, FCMA, MS MVP

Andrei Smolin

Add-in Express team

Posts: 18830
Joined: 2006-05-11

Hello Ken,

Ken Puls writes:
Of course, that cert expired, so we got a new one from the same place. But now, after installing it, I'm getting the second image from that article (Publisher cannot be verified) , which is indicating to me that it hasn't been successfully applied.

Do you install on a machine where the previous add-in version is installed? If so, ClickOnce doesn't let you do this: after changing the certificate, you have to uninstall the previous version manually, and then install the new version.

Ken Puls writes:
So far as I can tell though, this file has never been included in the Publish folder content at all.

It shouldn't.

Regards from Poland (GMT+1),

Andrei Smolin
Add-in Express Team Leader

Ken Puls

Posts: 34
Joined: 2014-12-17

Do you install on a machine where the previous add-in version is installed? If so, ClickOnce doesn't let you do this: after changing the certificate, you have to uninstall the previous version manually, and then install the new version.

Hi Andrei,

No... this is being reported to me by new users, not existing ones. (The existing ones generally seem to trust me, so aren't worried about it. You can see by downloading the trial version from https://monkeytools.ca. I test this on a clean VM every time I do a new publish.

Ken Puls, FCPA, FCMA, MS MVP

Andrei Smolin

Add-in Express team

Posts: 18830
Joined: 2006-05-11

Hello Ken,

As far as we know, if the certificate that you use is an EV Code Signing certificate, then ClickOnce doesn't support it. Could you create a test Windows Forms application and publish it using that certificate. Does starting the .application file show the publisher?

I downloaded the .application file and run it. BTW, turns out I have your .application file from May-2021 :) Your add-in shows Custom UI Runtime Error messages saying that the Ribbon IDs FlyoutAnchorPowerQueryNewQuery and PowerQueryGetTransformDataMenu aren't recognized. To see the messages, make sure you have this flag selected:

Outlook 2010+:
?В?Р?? Click File -> Options - >Advanced
?В?Р?? In the Developer section of the details pane, select Show add-in user interface errors and then click OK.

Office 2010+ (except for Outlook, see above):
?В?Р?? Click File -> Options - >Advanced
?В?Р?? In the General section of the details pane, select Show add-in user interface errors and then click OK.

Regards from Poland (GMT+1),

Andrei Smolin
Add-in Express Team Leader

Ken Puls

Posts: 34
Joined: 2014-12-17

As far as we know, if the certificate that you use is an EV Code Signing certificate, then ClickOnce doesn't support it

Fair enough. Their Code Signing certificate is an OV cert. I know this because OV certs can't be automatically renewed, meaning that I'm going to have to go through this every 3 years.

Ribbon IDs FlyoutAnchorPowerQueryNewQuery and PowerQueryGetTransformDataMenu aren't recognized

Yeah, unfortunately there isn't much I can do about this. These two idMSO's are needed in Excel 2016, but then Microsoft REMOVED them from 2019 on. With no way to conditionally compile a ribbon, I'm kind of stuck here. The good news is that only developers really need this flag on, so it's only affected one of my users. Once day I'll be able to drop support for Excel 2016, but unfortunately not yet.

Back to the signing thing, here is what is so weird... I've attached a pic of the build which shows the certificate is being applied.

[img]https://1drv.ms/u/s!AuhhLgCXSCKKgYQrqS--dAGPlEvcGA?e=4TfNWh[/img]

I'm still confused as to why this works, but the installer doesn't recognize it...

[img]https://1drv.ms/u/s!AuhhLgCXSCKKgYQsykRKh5IGp54rUQ?e=D43qAz[/img]

Ken Puls, FCPA, FCMA, MS MVP

Andrei Smolin

Add-in Express team

Posts: 18830
Joined: 2006-05-11

Hello Ken,

Thank you. Screenshot #1 shows that the *add-in* is signed with no problem. Screenshot #2 shows that the *installer* isn't signed. So the problem should originate from the Publish dialog. Do you use the new certificate on it?

Regards from Poland (GMT+1),

Andrei Smolin
Add-in Express Team Leader

Ken Puls

Posts: 34
Joined: 2014-12-17

Hi Andrei,

Meaning this one, correct? Yes... signed with the same certificate...

[img]https://1drv.ms/u/s!AuhhLgCXSCKKgYQt7KO7PCuGv6x4ug?e=eMDGRt[/img]

Ken Puls, FCPA, FCMA, MS MVP