How do I sign a Visual Studio application with an EV Certificiate

Robert Barnes 71 Reputation points
2022-04-22T05:01:45.77+00:00

I've been trying to distribute MANASYS Jazz (https://jazzsoftware.co.nz/) with ClickOnce, and I recently purchased an OV Code Signing Certificate to identify Jazz Software Ltd. However I found that a prospect was still unable to download my software, being blocked by the Microsoft Smartscreen. I then purchased an EV Code Signing certificate because "To be trusted by Microsoft, you need to earn application reputation. The only way to do that is with Extended Validation (EV) Code Signing. EV Code Signing boosts your SmartScreen reputation and gets your software trusted."

I have received my EV Code Signing Certificate, which is on a hardware token (USB). It cannot be copied from this, EV certificates are used from the token to sign your application, and I have been told that I will have to sign each build, I cannot simply load a .pfx file into the Signing page of the project. But how do I do this? The examples from Sectigo (the source of both certificates) show a process that uses Signtool to sign the application, with a command like this
signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "My company Inc." "C:\path\sto\fileToSign.exe"

If I have published my application with Visual Studio for ClickOnce there are several objects created, but only one .exe in the root folder, setup.exe. (All the objects in the Application subfolder have extension .Deploy). Can somebody confirm for me that it is Setup.exe that I need to sign? And will the absence of a valid certificate in the signing tab of the Visual Studio project cause a problem?

Thank you, Robert

VB
VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,568 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Robert Barnes 71 Reputation points
    2022-04-24T04:40:19.83+00:00

    Problem Sorted! I didn't need any Post Build event code after all.

    My EV Code Signing Certificate was physically delivered to me from Sectigo on a USB Token, and it can only be installed from this token (it can't be copied). I also received a download email with a password, and a URL to download and install SafeNet.

    When I'm publishing Jazz, the procedure is: -
    Plug in the USB Token
    SafeNet was running
    Have the password ready to paste
    Open the project,
    `Signing Tab. Click [Select from Store]. My Sectigo Certificate was displayed, select that.
    Publish tab: Click Publish Wizard or Publish Now

    Publishing then runs. Several times I was asked for the certificate password, which I gave by pasting

    When publishing was complete I copied the application to the my web site and tested the download. Everything worked perfectly, without any appearance of "Windows has protected your PC"

    1 person found this answer helpful.
  2. Jiachen Li-MSFT 26,426 Reputation points Microsoft Vendor
    2022-04-22T07:24:52.027+00:00

    Hi @Robert Barnes ,
    Check the following question to see if it is helpful.
    https://stackoverflow.com/q/21770710/17334287
    Best Regards.
    Jiachen Li

    ----------

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Robert Barnes 71 Reputation points
    2022-04-23T07:52:23.593+00:00

    Thank you @Jiachen Li-MSFT that Stackoverflow article was very useful, particularly the answer saying that a PostBuild task is necessary to attach the EV certificate to the application .exe before it becomes xxx.exe.deploy in the application file.

    To attach the EV certificate to Setup.exe I used this command: -
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x64>signtool sign /a /fd SHA256 /tr http://timestamp.sectigo.com /td sha256 C:\Users\Robertbw10\Documents\Jazz\Publish\Setup.exe
    When this was executed I had my EV token plugged in, and I was prompted for its password.

    Of course this didn't help, I still got the Windows Smartscreen, so I need to implement a solution like that of the Stackoverflow article. In my case my project is a VB project called "Jazz", but I guess that the basic concepts are the same as shown in the answer. Am I correct in thinking that I write my equivalent of this is into the project's Compile tab, Build events, section Post-Build Command Line. The example give looks to have C# syntax, how different would it be in VB?

    The equivalent in the Post-Build command line would presumably use ... C:\Users\Robertbw10\Documents\Jazz\Publish\Application Files\Jazz_3_16_4_263\Jazz.exe. "Jazz_3_16_4_263" is "The latest build". Is there a parameter that I can use meaning this?

    Thank you for helping me.
    Regards, Robert

    0 comments
  4. Kevin Angus 0 Reputation points
    2024-03-10T23:33:42.0666667+00:00

    I wanted to build a cross platform phone app so I purchased Visual Studio 2022 Professional and built my first Hello World app, seems I'll never see it run as Windows will no install it unless it is signed, to sign it cost $200~$600 a year.

    0 comments