Using EV Certificate With ClickOnce

6
votes

My company purchased an EV Certificate from Symantec to use for a software product we produce. Specifically it is called: Symantec Class 3 Extended Validation Code Signing CA – G2.

To develop and build this product we use Visual Studio 2013, and we use ClickOnce as the publish and installer mechanism. The problem we are having is that ClickOnce is unable to apply the EV Certificate using it’s built-in signing mechansim. ClickOnce can see the Certificate just fine, and allows us to select it with the “Select from Store…” button. It shows all of the correct information in the Certificate window. But when we Publish the following error is encountered:

An error occurred while signing: Failed to sign bin\Release\app.publish\setup.exe. SignTool Error: An unexpected internal error has occurred.”

Note that we are able to use SignTool.exe to apply the EV Certificate from the command line, so the problem is not with that program.

Has anyone had experience with this combination of EV Certificate and ClickOnce? Is there a different EV Certificate that we should buy that works better with ClickOnce?

2
visual-studio-2012certificateclickoncesigntoolsymantec
I assume that you received the certificate in a hardware eToken. Are you using the SafeNet drivers to use it?Max
Yes, we have a hardware eToken and are using the SafeNet drivers. We know those are working because we can bind the EV certificate using SignTool.exe and Mage.exe without any problem.Drew Stoddard
SafeNet was also working with signtool and mage without problem apart from the ClickOnce certifiactes signing, but changing the register value seems to have solved it.Max

2 Answers

16
votes

I had the exact same problem a few days ago and the Digicert after-sales service has been able to to solve it. Try to check the value of this register key (in regedit):

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Cryptography/Providers/SafeNet Smart Card Key Storage Provider/Aliases

The value should be "eToken Base Cryptographic Provider" and not "eToken Base Cryctographic Provider" ('p' instead of 'c').

As said in the comments, you'll have to reboot after that change.

Hope it helps.

3
votes

Can't comment (not enough rep). Spent a LONG time getting to this page so I wanted to add the following info for anyone who comes here after.

The full error message (for the purpose of search engines finding this site) from signtool is:

SignTool Error: An unexpected internal error has occurred

Error: SignerSign() failed." (-1073741275/0xc0000225)

This only happens (for us) when signing sha256. sha1 worked fine.

@Max's answer (typo in the registry key is correct. This is a bug in the SafeNet Authentication Client version 8.2 installer. I changed the registry key, rebooted, and everything started working.

It has been fixed as of the 9.0 version (which is for Win8+).