Tool for clickonce maifest and application signature validation

  • Thread starter Thread starter Jediah L
  • Start date Start date
J

Jediah L

Is there a tool (command line or otherwise) that can be used to validate the
signature of a ClickOnce manifest or application file?

Thanks in advance!

Jediah L.
 
Hi Jediah,

When a ClickOnce appliacation is installed on a machine, ClickOnce
Authenticode will validate the signature of the ClickOnce manifest and
application files.

IMO, there may be no such a tool to validate the signature of a ClickOnce
manifest or application files.

Could you please tell me why you want to do this with a tool?

Sincerely,
Linda Liu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Because I'm about to write one, but I don't want to, if I don't have to. :)

In troubleshooting clickonce application failures, it's good to be able to
click a few buttons (or run a quick script) that will validate the signature
of the manifest or application files.

It would also be beneficial for development teams in my organization to be
able to validate the signatures; sometimes we've been finding for no
apparent reason that a signature will not be valid, even though it was
applied and compiled right through the .Net 2005 IDE - I'm just looking for
a tool that can do the validation; otherwise I'll end up writing one.
 
Hi Jediah,

Thank you for your prompt reply and detailed explanation!

I am consulting this issue in our inner discussion group. As soon as I get
an rely, I will get it back to you.

Thank you for your understanding and patience!

Sincerely,
Linda Liu
Microsoft Online Community Support
 
I appreciate it - and look forward to a response - in the mean time, I
started a tool to do this - however, after getting into it, I found very
little documentation in regards to the technical side of the manifest and
it's various signatures and digests. I've put it on hold for the moment, as
I have more pressing matters - but any additional information you could
provide would be great!

Thanks!
 
Hi Jediah,

I get a reply from our product team.

In fact, there're two reasons why a ClickOnce application fails to launch.
One reason is the mainfest signature is not valid and the other reason is
that the hash of each file listed in the manifest doesn't match the actual
file being deployed.

To verify the signature on the manifest itself, .NET 3.5 ships with some
classes that do this for you. You can use the
System.Security.Cryptography.ManifestSignatureInformation class in the
System.Core.dll assembly to do manual verification of a manifest signature.

To verify the hashes of the manifest, you can refer to the code provided by
an expert from our product team. The code reads the manifest and verify the
hash of each file as listed in the manifest matches the actual file being
deployed. You can run the code inside of VS as a post-build step, so that
if the manifest contains bad hashes, the publish process is stopped.

Please send an email to me to let me know your email address. As soon as I
know your email address, I will send the code to validate the manifest
hashes to you.

To get my actual email address, remove 'online' from my displayed email
address.

Sincerely,
Linda Liu
Microsoft Online Community Support
 
in 3.5 there is an API for that - that would allow to build a command line
tool....

you can also try MAGE.exe (part of the FX SDK) - not sure if this provides
the needed functionality...
 
Back
Top