question

RobertBarnes-8211 avatar image
0 Votes"
RobertBarnes-8211 asked RobertBarnes-8211 answered

How do I sign a Visual Studio application with an EV Certificiate

I've been trying to distribute MANASYS Jazz (https://jazzsoftware.co.nz/) with ClickOnce, and I recently purchased an OV Code Signing Certificate to identify Jazz Software Ltd. However I found that a prospect was still unable to download my software, being blocked by the Microsoft Smartscreen. I then purchased an EV Code Signing certificate because "To be trusted by Microsoft, you need to earn application reputation. The only way to do that is with Extended Validation (EV) Code Signing. EV Code Signing boosts your SmartScreen reputation and gets your software trusted."

I have received my EV Code Signing Certificate, which is on a hardware token (USB). It cannot be copied from this, EV certificates are used from the token to sign your application, and I have been told that I will have to sign each build, I cannot simply load a .pfx file into the Signing page of the project. But how do I do this? The examples from Sectigo (the source of both certificates) show a process that uses Signtool to sign the application, with a command like this
signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "My company Inc." "C:\path\sto\fileToSign.exe"

If I have published my application with Visual Studio for ClickOnce there are several objects created, but only one .exe in the root folder, setup.exe. (All the objects in the Application subfolder have extension .Deploy). Can somebody confirm for me that it is Setup.exe that I need to sign? And will the absence of a valid certificate in the signing tab of the Visual Studio project cause a problem?

Thank you, Robert

dotnet-visual-basic
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

JiachenLiMFST-9349 avatar image
0 Votes"
JiachenLiMFST-9349 answered RobertBarnes-8211 commented

Hi @RobertBarnes-8211 ,
Check the following question to see if it is helpful.
https://stackoverflow.com/q/21770710/17334287
Best Regards.
Jiachen Li

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobertBarnes-8211 avatar image RobertBarnes-8211 ·

Help, I'm really struggling, I cannot work out to convert the example shown in the reference to a VB.Net Post Build event that will do what I want.

The Visual Studio Build creates an application to be distributed by ClickOnce, the main executable is Jazz.exe. I can sign setup.exe with the EV Code Signing Certificate with command
C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x64>signtool sign /a /fd SHA256 /tr http://timestamp.sectigo.com /td sha256 C:\Users\Robertbw10\Documents\Jazz\Publish\Setup.exe
But that doesn't get rid of the Smartscreen, which prevents users from downloading the software.

If I attempt to sign Jazz.exe by temporarily renaming ...Jazz.exe.debug, running command
C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x64>signtool sign /a /fd SHA256 /tr http://timestamp.sectigo.com /td sha256 "C:\Users\Robertbw10\Documents\Jazz\Publish\Application Files\Jazz_3_16_4_264\Jazz.exe"
and then renaming it back, the program won't download because "File, Jazz.exe, has a different computed hash than specified in manifest". Which is correct.

So the only answer that will work is to use a Post Build Event. But I can't work out what to write, or how to test it

Can somebody please help me! I'm totally stuck on this.

0 Votes 0 ·
RobertBarnes-8211 avatar image
0 Votes"
RobertBarnes-8211 answered

Thank you @JiachenLiMFST-9349 that Stackoverflow article was very useful, particularly the answer saying that a PostBuild task is necessary to attach the EV certificate to the application .exe before it becomes xxx.exe.deploy in the application file.

To attach the EV certificate to Setup.exe I used this command: -
C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x64>signtool sign /a /fd SHA256 /tr http://timestamp.sectigo.com /td sha256 C:\Users\Robertbw10\Documents\Jazz\Publish\Setup.exe
When this was executed I had my EV token plugged in, and I was prompted for its password.

Of course this didn't help, I still got the Windows Smartscreen, so I need to implement a solution like that of the Stackoverflow article. In my case my project is a VB project called "Jazz", but I guess that the basic concepts are the same as shown in the answer. Am I correct in thinking that I write my equivalent of this is into the project's Compile tab, Build events, section Post-Build Command Line. The example give looks to have C# syntax, how different would it be in VB?

The equivalent in the Post-Build command line would presumably use ... C:\Users\Robertbw10\Documents\Jazz\Publish\Application Files\Jazz_3_16_4_263\Jazz.exe. "Jazz_3_16_4_263" is "The latest build". Is there a parameter that I can use meaning this?

Thank you for helping me.
Regards, Robert

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobertBarnes-8211 avatar image
0 Votes"
RobertBarnes-8211 answered

Problem Sorted! I didn't need any Post Build event code after all.

My EV Code Signing Certificate was physically delivered to me from Sectigo on a USB Token, and it can only be installed from this token (it can't be copied). I also received a download email with a password, and a URL to download and install SafeNet.

When I'm publishing Jazz, the procedure is: -
Plug in the USB Token
SafeNet was running
Have the password ready to paste
Open the project,
`Signing Tab. Click [Select from Store]. My Sectigo Certificate was displayed, select that.
Publish tab: Click Publish Wizard or Publish Now

Publishing then runs. Several times I was asked for the certificate password, which I gave by pasting

When publishing was complete I copied the application to the my web site and tested the download. Everything worked perfectly, without any appearance of "Windows has protected your PC"




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.