views:

481

answers:

2

I'm a bit stuck here, I have a .net 3.5 sp1 application that I want to deploy locally to other machines on my network using ClickOnce.

On installation they get a warning message saying that this application is from an unknown publisher etc.

My boss does not want to buy a verisgn certificate. He just want's it to install and without prompting i.e bypassing security messages.

Is this possible???

Some notes on the Microsoft website suggest changes have been made in this area i.e.

"ClickOnce application publishers can now decide to opt out of signing and hashing the ClickOnce manifests as they see appropriate for their scenarios."

Thanks

Tim

+6  A: 

Since you're on your own network you could create your own trusted certificate publisher. To do so, install Certificate Authority services on one of your servers and create a code-signing certificate. By default your user's computers won't trust the certificate, so run the following on each computer:

certmgr.exe -add -c MYRootCertificate.cer -s -r localMachine root

certmgr.exe -add -c MyCodeSigningCert.cer -s -r localMachine TrustedPublisher

The first is to get your computers to trust your internal CA server (to get rid of the "not a trusted publisher" message), and the second is to get it to trust the apps signed by your certificate.

After that, any of your signed applications will run without security warnings.

Mitchell Gilman
+2  A: 

Mitchell's answer is good, but unless you have an Enterprise Edition server you can't customize templates and the Code Signing template is marked as "unexportable". That means that you cannot use the certificate within Visual Studio and have to have an after-process that signs your manifests.

Now this is a feature, not a bug, make no mistake. A typical software shop doesn't want developers to be signing manifests for public consumption from within Visual Studio. That said, I'm personally in a shop where I do want precisely that functionality. Fortunately, I managed to figure out the long-way around getting a pfx key file exported that has code signing priveleges. If you find you need that, it can be useful.

Jacob Proffitt