vstoadd-inoneclick

Unknown Publisher still appears on correctly code-signed VSTO addin built with VS2010


I have a OneClick Deployed VSTO Addin that I have signed with a up-to-date Verisign code-signing certificate (PFX). I have verified that I am signing correctly with Verisign support on the phone – they concur. I am building with VS2010. Nonetheless, the Addin shows “unknown publisher” when I try to install.

Why?

How can I replace “Unknown Publisher” with the name of the Publisher on the PFX certificate?

This is what I have done to try to solve the problem to date:

  1. Found this question about “Unknown Publisher” issue on Addins. The accepted answer to that question discusses using mage.exe to sign the deployment and application manifests.

  2. I used mage.exe to apply the PFX signature to both the application and deployment manifests to no avail; “Unknown Publisher” still shows when I install the Addin. Only then did I see a comment by a MS program manager on the page of the last link that VSTO Addin's built under 2008 or earlier do not read either the application or deployment manifests.

  3. Then I saw the same MS program manager's comment at bottom linking to this page and asserting that starting in VS2010 that VSTO Addin's with Publisher specified as given in the linked page will now have their manifests read and the correct Publisher name displayed upon Addin installation.

I have done all this and the publisher on my correctly code-signed OneClick Deployment still shows “Unknown Publisher” - why?


Solution

  • Follow these steps:

    1. Install the certificate on your local machine. In Windows Explorer right-click the certificate file, select Install PFX, and follow the instructions.

    2. Ensure the VSTO project manifest and assembly are signed. In the VSTO project's properties on the Signing tab, "Sign the ClickOnce manifests" should be checked (if not, select your PFX file). "Sign the assembly" should also be checked and using the same PFX file.

    3. After publishing the VSTO, you'll need to sign the manifest and the published .vsto files from the command line. You will also need to copy the .dll's from the bin to your published folder before you run mage.exe (to avoid "File Not Found" errors). I highly recommend signing both .vsto's for safety's sake. Here is the command line code to perform these steps:

    -

    set AppPublishPath=bin\Release\app.publish
    set AppPublishVersionPath=bin\Release\app.publish\Application Files\MyProjectName_1_0_0_0
    
    set CertificatePath=C:\SignedCertificate.pfx
    set CertificatePassword=password
    
    copy bin\*.dll "%AppPublishVersionPath%"
    
    mage -update "%AppPublishVersionPath%\MyProjectName.dll.manifest"  -certfile "%CertificatePath%"  -Password %CertificatePassword%
    mage -update "%AppPublishVersionPath%\MyProjectName.vsto"  -appmanifest "%AppPublishVersionPath%\MyProjectName.dll.manifest" -certfile "%CertificatePath%"  -Password %CertificatePassword%
    mage -update "%AppPublishPath%\MyProjectName.vsto"  -appmanifest "%AppPublishVersionPath%\MyProjectName.dll.manifest"  -certfile "%CertificatePath%"  -Password %CertificatePassword%
    

    See Nathan's comment below about a possible additional step.