Signing ClickOnce with a Certificate?

Question

Hello,

Can anyone explain the process of obtaining a certificate to sign my ClickOnce assembly(ies)? I've got a few ClickOnce apps at my company, but they are all signed with temporary certificates created by Visual Studio. Those are obviously not Trusted Root Authorities nor Trusted Publishers. I've followed along here: http://msdn.microsoft.com/en-us/library/ms996418.aspx and I like the experience when something is signed with a cert that is both a Trusted Root Authority and Trusted Publisher (i.e. no prompt, just an install).

1. Can I use the same certificate to sign multiple ClickOnce assemblies?
2. How much does a certificate cost?
3. What information do I need to provide when obtaining the certificate?
4. Does the certificate need to be aware of where the publishing location is? For example, if I currently have my ClickOnce apps available from http://apps.mycompany.com/ and I want to change this later, for example http://www.mycompany.com/apps or http://apps.mysubcompany.com, will i have to obtain another certificate?
5. Are there recommended publishers to obtain from for ClickOnce signing (for example, someone who might already be in an XP, Vista, Win7 Trusted Root Authority store)?
6. How can I streamline installation to the Trusted Publisher store?

TIA!

Answer 1

I had to work through the signed ClickOnce recently. It was not the most smooth experience, but once this has been done (and wired to the automated publishing) it started working like a marvel. Here's the actual product, if you are interested in the behavior: Forecasting Add-in for Excel.

Article on ClickOnce Manifest Signing and Strong-Name Assembly Signing was a good start.

Can I use the same certificate to sign multiple ClickOnce assemblies?

Yes.

How much does a certificate cost?

Tucows offers certificates for 75$, but the process is rather slow.

What information do I need to provide when obtaining the certificate?

They check your documents (e.g. a scan of your certificate of incorporation), check your whois record and things like this.

Does the certificate need to be aware of where the publishing location is?

This was not needed in our case.

Answer 2

In addition to the excellent answer by Rinat, I would like to add:

I have a code signing cert from Thawte, has worked very will (once I got the signing procedure figured out...)

• Cost $299 per year (Microsoft Authenticode (Multi-Purpose) Certificate)

• Thawte is already a trusted root in Windows so for clients it works fine. (had to install extra root certs on the signing machine though)

You are welcome to check out our app at: http://www.ludesi.com/download

Answer 3

Hey Guys,

The company I'm working for is developing a Clickonce application. Until recently I neglected the notification unknown publisher are you sure you want to run.. since it was soleley used internally.

Now the app is ready for product launch we start thinking about certifying. The discussion goes like thís. Our products needs to be installed at customers server. The customers get their own copy of the app and launch them locally. We do have an official company certificate but the guy who has to install it says that this is unsafe because the installation takes place on site by the customer we should'bnt provide our official company certificate because it can be misused.

I'm not familiar with this stuff, so I'm wondering is there sort of 'customer' certificate possible so it can only be used to run the program but not to sign apps itself?