Sign application with a certificate in ClickOnce deployment

8
votes

For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.

In the article ClickOnce and Authenticode, I read that:

For ClickOnce applications, you must have an Authenticode certificate that is valid for code signing. You can obtain a certificate for code signing in one of three ways:

  1. Purchase one from a certificate vendor.

  2. Receive one from a group in your organization responsible for creating digital certificates.

  3. Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).

In my case, number 2 is not applicable.

As I read a few rows later:

By default, ClickOnce applications signed with self-certs and deployed over the Internet cannot utilize Trusted Application Deployment.

(Emphasis mine.)

I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?

And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?

2
windowscertificateclickonce

2 Answers

12
votes

It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.

It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.

Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples are on page Microsoft Authenticode Certificates.

UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)

1
votes

See my answer to Stack Overflow question How to sign a ClickOnce application.

I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case. Personally, I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus). It's much cheaper than going with VeriSign or TrustWave.