When I'm doing manifest file signing using 'mage', why 2 hash signatures are getting created?

Aman Jain 20 Reputation points
2024-05-08T06:26:08.8066667+00:00

Here is the command I'm using:
mage -sign UNSIGNED2.manifest -CertHash <Fingerprint>

When I'm running the above command, 2 hash signatures are getting created. Why?

Thanks

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,833 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hania Lian 8,386 Reputation points Microsoft Vendor
    2024-05-10T09:11:23.4633333+00:00

    Hello,

    When you use 'mage' to sign a manifest file, two hash signatures are created because the manifest file contains two different types of content: the manifest itself and the files that it references. The first hash signature is created for the manifest file itself, while the second hash signature is created for the referenced files. This is done to ensure the integrity of both the manifest file and the referenced files, and to prevent any tampering with the contents of the manifest or the referenced files.

    Best Regards,

    Hania Lian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Hania Lian 8,386 Reputation points Microsoft Vendor
    2024-05-08T08:07:30.2033333+00:00

    Hello,

    If you’re seeing two hash signatures being created, it could be due to a couple of reasons:

    Multiple Certificates: If there are multiple certificates that match the provided fingerprint, might be signing the manifest with each one, resulting in multiple hash signatures.

    Manifest Types: There are two types of manifests in ClickOnce deployment: the deployment manifest and the application manifest. If you’re signing both, you might see two hash signatures as a result.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.