11
votes

I'm trying to sign my clickonce app. I have an EV code signing certificate that is using SHA256. The problem is that when I sign my app using the post build commands, it seems to be using SHA1 instead of SHA256. Here is a clip of the output window:

Running Code Analysis...
1>  Code Analysis Complete -- 0 error(s), 0 warning(s)
1>  The following certificate was selected:
1>      Issued to: Certificate Subject Name Here
1>  
1>      Issued by: DigiCert EV Code Signing CA (SHA2)
1>  
1>      Expires:   Thu Apr 14 06:00:00 2016
1>  
1>      SHA1 hash: HASH-HERE
1>  
1>  
1>  Done Adding Additional Store
1>  Successfully signed and timestamped: C:\Users\AnyBody\Documents\Visual Studio 2013\Projects\My Project\Project Folder\obj\x86\My Configuration\MyProgram.exe
1>  
1>  
1>  Number of files successfully Signed: 1
1>  
1>  Number of warnings: 0
1>  
1>  Number of errors: 0

Here is the post build command I am using:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /fd SHA256 /t "http://timestamp.digicert.com" /n "Certificate Subject Name Here" /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

I can see that MyProgram.exe.deploy has the digital signature attached when I look at the file's properties.

There are no errors returned when i run signtool /verify

When I try to launch the app, I get the error "Application validation did not succeed. Unable to continue".

In the details of the error message, there is this line:

+ File, MyProgram.exe, has a different computed hash than specified in manifest.

When I open and look at the manifest, the hash for MyProgram.exe is specified as SHA256

What could be the problem? What is making signtool refuse to use SHA256? From what I've read, it should be using SHA256 by default.

I have unistalled/reinstalled visual studio, windows sdk, all installed .net libraries to no avail.

I'm really hoping someone has some idea...

1

1 Answers

7
votes

Are you having this issue with a WPF application? If so signing the executable in the AfterCompile target should resolve your problem. That worked for me.

More discussion on this can be found here:

Apparently when Phil signs his executable using PostBuild or BeforePublish commands, when the user installs it, he gets the dreaded “exe has a different computed hash than specified in the manifest” error. He found that using AfterCompile instead fixed the problem.

http://robindotnet.wordpress.com/2013/04/14/windows-8-and-clickonce-the-definitive-answer-revisited/