Is Signing required for VSTO add-ins?

5
votes

There are two options on Signing page:

  1. Sign the ClickOnce manifest
  2. Sign the assembly

Does one need to enable any or both of them when developing a VSTO add-in (for Word 2013)? What if I'm using MSI installer instead of ClickOnce for deploying my add-in? Do I still need to enable any of the above?

Also what if my client wants to buy a certificate from an authority because they'd like to see their company name in the list of add-ins in Word? Will I need to enable "Sign the ClickOnce manifest" option then (even with MSI installer)?

(I'm using VS2015 Community + .NET 4.5. The add-in will target Office 2010 and above audience).

1
.netvstoclickoncecode-signing

1 Answers

2
votes

You need to sign the ClickOnce manifest in any case, add-in will not work without that. Even if you just debug it, Visual studio adds some fake certificate. You don't need to sign the assembly, in most of cases (Rules about assembly here are the same as in any .NET application. For example, I'm using .net Reactor, to marge assemblies, and it requires signing. But it is not vsto-related.). If you are using MSI, it doesn't change anything, you still need to sign the manifest. And you will not see the company name in the list of add-ins, only the name of the add-in. You will see the company name only on the UAC screen on the first start after installation. The only upside of MSI here is that you can use installer to prevent this screen from appearing.