question

GeorgeArrays avatar image
0 Votes"
GeorgeArrays asked JosefBauer-7366 answered

Clickonce signs code with SHA1 when using SHA384 cert

I renewed my signing certificate and found out that it's a SHA384, this certificate signs my clickonce project as SHA1. I contacted Sectigo and they just told me that they don't provide SHA256 anymore.

According to Sectigo FAQS, they say I can request the timestamp as SHA256, but when doing it, Visual Studio 2019 says "An unexpected internal error has occurred". Either I request timestamp on 384 or I don't use timestamp server, the outcome is the same: signed as SHA1.

I have been looking for days and just can't find a way to solve this problem, at least, I need to sign my code in SHA256.

windows-forms
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

GeorgeArrays avatar image
0 Votes"
GeorgeArrays answered JackJJun-MSFT commented

When using all timestamp servers in Visual Studio 2019, the outcome is the same (SHA1), but if I use signtool.exe from command line with the stampserver http://timestamp.digicert.com?alg=sha256, my exe file becomes signed with SHA384 !!!

So far so good, but we're half the way, because the problem seems to be in mage.exe, if I run it from command line:

 mage.exe -u "D:\AppName.application" -appm "AppName.exe.manifest" -Algorithm sha386RSA -cf "cert.pfx" -Password XXXXXXX

The result is: Algorithm has to be sha1RSA or sha256RSA. Specified - "sha386RSA".
If I switch to SHA256RSA, then manifests are still signed with SHA1.

Now, according to this post there seems to be a bug in mage.exe, if certificate has a higher hash than SHA256 the internal logic signs with SHA1, instead of going down to SHA256.

Any idea how to workaround this issue?


· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JackJJun-MSFT avatar image JackJJun-MSFT ·

@81258029, based on my research, I find the simliar issue mage.exe fails when you use SHA384 signed code signing certifacte with you in Developer Community. The author has a workaround to use Digicert TSA to successfully sign their manifests. And you can refer to it and have a try for it.


0 Votes 0 ·
GeorgeArrays avatar image GeorgeArrays JackJJun-MSFT ·

Thanks Jack, but in the post, he found a workaround with signtool.exe but not with mage.exe, which is having a persisten problem.

Any ideas?

0 Votes 0 ·
JackJJun-MSFT avatar image JackJJun-MSFT GeorgeArrays ·

@81258029, yes, you are right, maybe that the issue related to mage.exe has not been solved now. If you don't mind, you could sumbit the issue in the Developer Community again. It will also get more Microsoft's attention.

0 Votes 0 ·
JosefBauer-7366 avatar image
0 Votes"
JosefBauer-7366 answered

I had the same issue and found out that this bug in mage.exe has been fixed in Visual Studio 2022. I upgraded to VS 2022 17.3 and the deployment is now signed correctly using my new sha384 code signing certificate.

Research regarding this problem brought me to issue 6732 from the MS developer team and it was marked as fixed in milestone VS17 which is VS 2022.
https://github.com/dotnet/msbuild/issues/6732


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.