ClickOnce signer's certificate not valid for signing when using makecert/pvk2pfx

11
votes

All of a sudden my unexpired certificate created using makecert/pvk2pfx is throwing an error when attempting to publish a ClickOnce application. This worked fine just last week...

Error Message:

Error 2 An error occurred while signing: Failed to sign bin\Debug\app.publish\setup.exe. SignTool Error: The signer's certificate is not valid for signing. SignTool Error: An error occurred while attempting to sign: bin\Debug\app.publish\setup.exe

When I use the "Create Test Certificate" option in the Signing tab that certificate works fine and the application is published successfully.

When manually creating my certificate with makecert/pvk2pfx I'm following the MSDN instructions.

When I delete my old manually created certificate, create a new one using makecert/pvk2pfx and try to use that one I get the same error.

The application is a WPF application targeting .NET 4, and this is all in Visual Studio 2010...

Any ideas?

3
.netclickonce

3 Answers

23
votes

It worked for me after I specified the certificate length greater than 1024:

makecert -sv MyApp.pvk -n "CN=MyCompany" -len 2048 MyApp.cer -r
pvk2pfx -pvk MyApp.pvk -spc MyApp.cer -pfx MyApp.pfx -po MyPassword

Microsoft released an update that affects all certificates having an RSA key less than 1024 bits long.

Microsoft Security Advisory: Update for minimum certificate key length

8
votes

After using the -r switch (create a self signed certificate) with Makecert, the pfx certificate generated with pvk2pfx now works for ClickOnce publishing... I am not sure exactly what happened here since the old key that was not "self signed" worked fine for a long time...

Exact commands I used to create the working pfx certificate...

makecert -sv MyApp.pvk -n "CN=MyCompany" MyApp.cer -r

pvk2pfx -pvk MyApp.pvk -spc MyApp.cer -pfx MyApp.pfx
1
votes

I had a Visual Studio 2013 project that I could sign with a (Visual Studio-generated) pfx file, but that same certificate would not work using the SignTool, no matter what I did.

I then started making new certs using MakeCert and Pvk2Pfx, and that didn't work either. I tried changing the encryption from SHA1 to SHA512, changing the key length from 256 to 2048 (as suggested elsewhere), changing the version of SignTool, etc, etc.

I must have checked 1,000 different links containing "The Signer's Certificate Is Not Valid For Signing".

I'm summarizing the main things that will most likely fix the problem. This is all based on generating a new pfx file; the Visual Studio-generated one won't be usable.

  1. Generate your .cer and .pvk files using MakeCert with the -len switch set to at least 1024 - or, better for future-proofing, 2048 - and the all-important -r switch which self-signs the certificate. I explicitly added an end date (using -e 12/31/2039) and SH256 encryption algorithm (-a SHA256). I suggest adding a password.
  2. Generate your .pfx file from the .cer and .pvk files using Pvk2Pfx with the standard/default switches.
  3. Use SignTool to sign the assembly, using -p {YourPassword} matching the MakeCert-provided password.