tags:

views:

481

answers:

2
+4  Q: 

ClickOnce installations

I'm a bit stuck here, I have a .net 3.5 sp1 application that I want to deploy locally to other machines on my network using ClickOnce.

On installation they get a warning message saying that this application is from an unknown publisher etc.

My boss does not want to buy a verisgn certificate. He just want's it to install and without prompting i.e bypassing security messages.

Is this possible???

Some notes on the Microsoft website suggest changes have been made in this area i.e.

"ClickOnce application publishers can now decide to opt out of signing and hashing the ClickOnce manifests as they see appropriate for their scenarios."

Thanks

Tim

+6  A: 

Since you're on your own network you could create your own trusted certificate publisher. To do so, install Certificate Authority services on one of your servers and create a code-signing certificate. By default your user's computers won't trust the certificate, so run the following on each computer:

certmgr.exe -add -c MYRootCertificate.cer -s -r localMachine root

certmgr.exe -add -c MyCodeSigningCert.cer -s -r localMachine TrustedPublisher

The first is to get your computers to trust your internal CA server (to get rid of the "not a trusted publisher" message), and the second is to get it to trust the apps signed by your certificate.

After that, any of your signed applications will run without security warnings.

Mitchell Gilman  2008-12-04 14:31:16
+2  A: 

Mitchell's answer is good, but unless you have an Enterprise Edition server you can't customize templates and the Code Signing template is marked as "unexportable". That means that you cannot use the certificate within Visual Studio and have to have an after-process that signs your manifests.

Now this is a feature, not a bug, make no mistake. A typical software shop doesn't want developers to be signing manifests for public consumption from within Visual Studio. That said, I'm personally in a shop where I do want precisely that functionality. Fortunately, I managed to figure out the long-way around getting a pfx key file exported that has code signing priveleges. If you find you need that, it can be useful.

Jacob Proffitt  2009-02-12 19:14:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security