Sign Click Once Applications with GoDaddy Code Signing Certificate and Visual Studio 2012 for deployment over Internet
A client we recently worked for had a ClickOnce WPF application developed by some other team who could not figure out how to use the Code Signing certificate from GoDaddy with ClickOnce. Unless the ClickOnce deployment is correctly signed Windows 8 Smart Screen Filter will not let the user install the application in Windows 8. In older versions of Windows, unsigned deployments show a Unverified Publisher message and discourage the users from installing your application. This application was meant to be distributed over the internet and it meant doom for the client who had invested so much in getting the application built, but was being stopped from rollout due to this issue. We were able to resolve the issue for the client with a bumpy ride. This blog post tries to describe the process that worked for us, hopefully it will serve as a guidance to all those who are hitting against a brick wall trying to resolve this issue with very little guidance from GoDaddy documentation.
Importing GoDaddy Code Signing certificate on your windows machine
In order to being the certificate signing process, its important to first purchase the code signing certificate for a trusted certificate authority like GoDaddy, Verisign etc. The most important step to remember is that the machine from which you purchase the code sign certificate should be the same machine on which you have Visual Studio and development tools installed. You cannot generate a certificate from one machine and perform the code sign activity on another machine. Even though this blog post is uses GoDaddy Code Signing certificate, I am sure there would be a similar process that works for other trusted certificate authorities like Verisign, GoeTrust etc.
In case of GoDaddy, I believe they allow you to purchase credit for a certificate (which your client can perform and pay), but the actual certificate generation should be done on a machine where development tools are installed. I am not going to go through the GoDaddy purchase process, I guess lot of clients prefer to use GoDaddy certificates because they are cheap as compared to other providers. To request a code signing certificate you can refer to the support guide provided by GoDaddy – Requesting a Code Signing Certificate. But don’t start yet! Read the next section to avoid the issues we faced.
GoDaddy Code Signing Certificates and Internet Explorer (IE) a roadblock!
In our case, before we got to work, the client had already requested for the Code Signing certificate to be generated using IE 9 browser. That was our first hurdle since now we had to install Visual Studio Trial edition on the client’s machine to build his application and sign his deployment files. We are aware that we could have use the command line tools to achieve the same, but there were other issues that compelled us to try to get the process working using Visual Studio. The next step after the certificate is requested, verified and generated is to download and install it to start with the signing process. GoDaddy provides the Installing a Code Signing Certificate in Windows guide to install the certificate, but the problem begins as soon as you start the first step “To combine the private key and code signing certificate files”. You can download the generated Code Signing Certificate from GoDaddy’s website in <yourcert>.spc file format, but where is the private key *.pvk file? The guide assumes that you have it handy, but does not mention how to acquire it – so the hunt to find the *.pvk file begins! There is another GoDaddy guide, Exporting an Installed Code Signing Certificate from Internet Explorer which talks about being able to export the *.pvk but the certificate is not installed in the first place to allow for export. After running around in circles, searching the forums with several people facing the same issue in trying to locate the *.pvk file we figured out that this is a dead end! Our advise would be not to use Internet Explorer to request the code signing certificate, instead use FireFox (this method was suggested by many on the GoDaddy forums, its not our original solution). Please note, don’t try to get too savvy and use Chrome or Opera – those two browsers are not supported, so let’s stick to using FireFox latest version to request and generate the certificate.
Installing and Exporting Code Signing Certificate in FireFox
If you have already requested the certificate in IE, no problem. Install FireFox on the same machine which was used for the original request. Go to the GoDaddy certificates administration panel, select the Code Signing certificate you want to use and click on the Re-Key icon. This will re key the certificate for FireFox and generate an updated certificate (it does not matter if you use GoDaddy or StarField as the certificate authority which rekeying the certificate). Download the certificate in FireFox from the admin panel, it will request you to first install Trusted Certificate Authority certificate (it was already installed on our machine) – installed it if not installed. Next, it asks you to install Intermediate Authority Certificate (this too was already installed on our machine), install it if its not already installed. Lastly it asks you to install the code sign certificate in FireFox, install it as well as download the *.spc certificate file into your project folder for later usage.
Once you have the certificate installed we need to export it from FireFox and run some commands to extract the *.pvk private key file, follow the process documented in GoDaddy guide Exporting an installed Code Signing Certificate from FireFox to export the PKCS12 certificate file and save it in your projects folder.
Generating *.pvk and *.spc file from FireFox exported PKCS12 certificate file
Once we have the PKCS12 certificate file exported from FireFox we need to run couple of commands to extract the *.pvk private key file. Follow the GoDaddy guide Converting an Exported PFX Code Signing File to PVK and SPC Files Using Windows even through it mentions using *.PFX file the process is the same for FireFox exported PKCS12, just modify the 1st and 3rd command to use your pkcs12 file instead for the *.pfx file mentioned. You will have to download OpenSSL files http://slproweb.com/download/Win32OpenSSL_Light-1_0_1e.exe and the supporting Visual Studio 2008 runtime http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF as mentioned in the guide. You will also have to download the http://products.secureserver.net/forms/pvk.zip tool from the link provided in the guide. OpenSSL usually installs to C:\OpenSSL\bin, I suggest you copy and extract the pvk.zip file to the same folder as well as copy the firefox extracted *.PKCS12 certificate file to the same folder so that its easier for you to run the commands. Start a Visual Studio command prompt and navigate to the C:\OpenSSL\bin folder where the files have been copied and execute the 4 commands given in the GoDaddy guide.
openssl pkcs12 -in inf.pfx -nocerts -nodes -out outf.pem pvk -in inf.pem -topvk -out outf.pvk openssl pkcs12 -in inf.pfx -nokeys -out outf.pem openssl crl2pkcs7 -nocrl -certfile inf.pem -outform DER -out outf.spc
Listing 1 - OpenSSL Commands – second command did not work for us
In our case even though the commands executed successfully and generated the appropriate files it kept giving “Error: 000004c0, The format of the specified password is invalid.” error in the next step when we tried to install the code sign certificate pvkimpt tool. We found that the second command given by GoDaddy shown in listing 1 is not correct and you need to provide an additional strong parameter to the pvk tool as mentioned in this blog post. Listing 2 shows the updated right commands which worked for us.
openssl pkcs12 -in inf.pfx -nocerts -nodes -out outf.pem pvk -in inf.pem -strong -out outf.pvk -topvk openssl pkcs12 -in inf.pfx -nokeys -out outf.pem openssl crl2pkcs7 -nocrl -certfile inf.pem -outform DER -out outf.spc
Listing 2 – Correct OpenSSL Commands to generate *.pvk file
Please follow the guide for explanation about the commands and which files to select. At the end of this process you would have 2 *.pem files, *.pvk and *.spc files generated in the c:\openssl\bin folder.
Installing the Code Signing Certificate in Windows
We follow the GoDaddy guide Installing a Code Signing Certificate in Windows once we have the certificate files *.pvk and *.spc generated in the previous step. PVK Digital Certificate Files Importer from Microsoft and extract it to the c:\openssl\bin folder since we already have our certificate files extracted there. Run the commands given in the guide at the Visual Studio command prompt to generate the *.pfx certificate file and then import it using the steps provided in the guide. Once the certificate is installed we are ready to start with the code signing process.
Setup Code Signing in Visual Studio 2012
There is no guide provided at GoDaddy to use Visual Studio to perform Code Signing with click once. Even the Microsoft Click Once documents talk about using the command line tools and will take you around in circles. There are couple of things that need to be digitally signed in your click once deployment. Firstly, the setup.exe bootstrap file generated by Visual Studio needs to be signed, then the application and deployment manifests need to be signed and finally the application executable needs to be digitally signed. Another point to note is that when the application and deployment manifests are signed they keep a hash of every file present in the published package, is any file changes (even due to an anti virus check) its hash changes and during deployment you will get errors from Click Once. If any files change post signing you need to either publish a new build using Visual Studio (best option) or you will have manually update the manifest files using the manual mage or mageui wizard tools. In the quest to find a good source on the Code Signing process we stuck upon the blog post Windows 8 and ClickOnce : the definitive answer and Windows 8 and ClickOnce : the definitive answer revisited from Robin, he has very clearly described the challenges and process to get it fixed. Please refer to his blog posts to get the details of the process.
The answer for our solution lies in both the linked blog posts. We need to follow Method 3 mentioned in first blog post, so that you unload the project file and open it for editing. But you need to add the target tag for AfterComplie as shown below in Listing 3 in your project file.
<Target Name="AfterCompile"> <Exec Command=""C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p yourpass /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"" /> </Target>
Listing 3 – AfterCompile build action for Visual Studio 2012 project
Its important to note here that you need to locate the signtool.exe on your computer. It may be stored in a different location on a 32 bit and 63 bit machine. So verify the path to the tool provided in the above command. Also make sure that your *.pfx certificate which was generated in the above step is included in the root of your Visual Studio project file. In the above Listing 3 change the name of the certificate file as well as the provide the password for the certificate file. Adding this AfterCompile target we can ensure that this target is only run during publish of the application and need not be configured for all developers of the application.
We had also setup the certificate in Visual Studio Signing property page. Open the project Properties page and switch to the Signing tab. Select Sign ClickOnce Manifests and select the appropriate certificate from the certificate store. Also provide the timestamp url from godaddy as http://tsa.starfieldtech.com.
Once you perform the above steps the you have setup code signing in Visual Studio 2012. Publish the ClickOnce application from Visual Studio, ideally you should see two crypto api dialog’s showing indicating that your certificate was called for signing purposes, they are kind of indicators that your certificate has been called for signing the build.
Verifying Code Signing with ClickOnce
The best way to verify your published build is to actually deploy it to your web server and try calling it from the browser. The signtool.exe can also be used to verify the certificate. Another way is that you can open your published build in windows explorer and right-click on the setup.exe file and select Properties from the context menu. You should see a Digital Signatures tab in the file properties dialog. If you check the Digital Signature tab, you should see the Code Signing certificate from GoDaddy. If there is no Digital Signatures tab that means code signing has not happened. Check the path entered in the Visual Studio project file. If the tab appears, but the certificate is different. Check if you are referencing the right certificate file in Visual Studio.
You can also navigate to the actual Applications/Version folder in your deployment and make a copy of the <Appname>.exe.deploy file and rename it to <Appname>.exe (I like to make a copy since I do not wish to touch the original file and change its Hash which causes deployment errors). Right-click on the <Appname>.exe file and select Properties from the context menu. Here too you should be able to see your Digital Signature listed under the Digital Signature tab (you can delete the copy file after testing). The manifests although contain the digital signature within their definition and you cannot do a quick check.
If you have followed the above hints and processes correctly you should be able to deploy your click once applications on the internet without much difficulty. We’d like to thank the authors of the blogs referred in this article for guiding us in the right direction.