none
Mage - signing ClickOnce manifest file with Extended Validation (EV)/USB Token RRS feed

  • Question

  • I am trying to sign a WPF CLickOnce application with an EV certificate (USB Token) using our continuous deployment (CI) server Jenkins.

    I managed to sign the WPF application itself with the SignTool, by 1) enabling the "single logon for pks#11" and 2) using the "/a" option.

    The next step is to sign the ClickOnce manifest file. However, it seems that mage.exe requires access to the actual certificate (i.e. CertFile or CertHash), and cannot directly take it from the USB token.

    I've tried to export it and install it locally, but the certificate authority does not allow that. I can only export the public key; and mage tells me it'd need the KeyContainer as an additional parameter (but I don't know what it is).

    What works is to use mageUI.exe (as suggested here). However, this doesn't allow me to automate the deployment and signing using our CI server.

    How can I sign the manifest file with the help of mage.exe? Is it possible to transfer the token password, similar to what I've done with the SignTool? Or are there alternatives?

    Thank you!


    Tuesday, May 14, 2019 6:12 AM

Answers

All replies

  • Hi casaout,

    Here I found a similar thread that maybe you can refer to.

    ClickOnce, Manifest Generation and Editing and signing with Token protected Certificate.

    Regards,

    Kyle


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, May 14, 2019 8:42 AM
  • hi Kyle

    Thanks! I actually also came across the post before, but it didn't help, since I need to automate the deployment and signing process. I can sign the manifest using mageUI.exe, but don't know how to start/use it from a continuous integration tool (in my case Jenkins)...

    Since Microsoft requires code signing authorities to only sell certificates on USB tokens and disallow exporting them, I really think there must be a solution. We few who posted here can't be the only ones with the issue... I guess, we just don't look in the right place...

    Any help is much appreciated! Thanks!

    Wednesday, May 15, 2019 3:53 PM
  • Hi casaout,

    The main problem is how to export the certificate from the USB Token. So I will move this thread to Where is the Forum For...? forum to redirect the thread to the right forum to give you a more professional answer.

    Regards,

    Kyle


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, May 16, 2019 3:21 AM
  • The main problem is how to export the certificate from the USB Token..

    Then I'd try asking for help over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowssecurity

    https://social.msdn.microsoft.com/Forums/windows/en-us/home?forum=winformssetup

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Thursday, May 16, 2019 3:45 AM
    Moderator
  • hi Kyle and Dave

    Thanks. However, the main problem is NOT to export the certificate from the USB Token. The certificate is restricted and can NOT be exported with the private key away from the USB token. According to my certificate authority (QuoVadis), that's actually a new requirement by Microsoft (since 2017 or 2018).

    So we are stuck on running SignTool and Mage with the certificate from the USB token. As I mentioned in my initial post, this works for SignTool, but Mage seems to NOT support this. (MageUI does, but it cannot be automated with Continuous Integration).

    In summary, my question is how I can sign the ClickOnce manifest with a certificate on a USB token (Extended Validation), ideally using Mage or similar?

    Thank you.

    Thursday, May 16, 2019 8:03 AM
  • I'd still try asking for help over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowssecurity

    https://social.msdn.microsoft.com/Forums/windows/en-us/home?forum=winformssetup

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Thursday, May 16, 2019 12:31 PM
    Moderator