Skip to Content
Former Member
Feb 24, 2011 at 03:40 PM

Click Once signing manifests with custom certificate



I am publishing a ClickOnce application with a custom certificate which was provided by my company specifically for this application. This application has Crystal Reports as a prerequisite (amongst other things).

This custom certificate only has the "Code Signing" Intented Purpose, which would not be a problem (Click Once certificate is there to sign code after all) if I did not run into a specific issue when trying to install the whole Click Once deploy (prerequisites are deployed along with the ClickOnce application as can be chosen in Visual Studio) on a freshly installed Windows 7 Ultimate virtual machine. The ClickOnce error log shows this:

Copying from '

tinf-w7-10ClickToMRWPublicación2.5.2.10.OldPRECrystalReports 12.3CRRuntime_12_3_mlb.msi' to 'C:Usersctm-3AppDataLocalTempVSD3208.tmpCrystalReports 12.3CRRuntime_12_3_mlb.msi'

Verifying file integrity of C:Usersctm-3AppDataLocalTempVSD3208.tmpCrystalReports 12.3CRRuntime_12_3_mlb.msi

WinVerifyTrust returned -2146762487

File not trusted

Error: Setup has detected that the publisher of file 'C:Usersctm-3AppDataLocalTempVSD3208.tmpCrystalReports 12.3CRRuntime_12_3_mlb.msi' cannot be verified.

Now I did some searching about this issue, and came up with the general idea that this is due to the conjonction of several factors:

1. the use of a 64 bit OS: the exact same setup on Windows XP 32 works. It seems somehow 64 bit Windows is less permissive with executable signatures.

2. the use for ClickOnce deployment of a certificate limited to the Code Signing Intended Purpose: if I use a certificate generated by Visual Studio (those ones have all purposes activated by default), it works. And if I limit this newly created certificate to Code Signing, I have the same problem than with the certificate my company provided.

3. a signing problem with the Crystal Reports redistributable: if I exclude this prerequisite from my ClickOnce project, the deploy installs fine (including other prerequisites). Then if I install the CRRuntime_12_3_mlb.msi separately, the application works.

I want to make clear here that at no point did I modify the Crystal Reports msi file. It seems that somehow, prerequisite files are validated by ClickOnce with the certificate used to sign ClickOnce manifests OR the certificate used to sign the prerequisite file itself. When both fail, the prerequisite will not install.

Other things that I checked:

- my custom certificate is date-valid (until 2013).

- all machine validated the certification path of the custom certificate I use: the root certificate of my company belong to both virtual and dev machines's CA certificate repository.

- I checked this with several versions of .net 3.5-dependent Crystal Reports runtimes. That is the CR2008SP3 FP3.3 ClickOnce zip file, the CR2008SP3 FP3.3 Redist used with Bootstrapper Manifest generator, the Crystal Report Basic for Visual Studio 2008 Redist...

It seems that somehow the certificating path of the Crystal Report files do not validate on a standard 64 bit Windows installation. I checked the certificates and they look like this:

Signer information:

Issued to: Business Objects America

Issued by: Thawte Code Signing SA

Valid from 22/01/2009 to 23/01/2011


Issued to: VeriSign Time Stamping Services Signer - G2

Issued from: Verisign Time Stamping Services CA

Valid from 16/06/2007 to 15/06/2012

Could it be that somehow one of these two certificates causes my problem?