When I'm doing manifest file signing using 'mage', why 2 hash signatures are getting created?

Question

Here is the command I'm using:
mage -sign UNSIGNED2.manifest -CertHash <Fingerprint>

When I'm running the above command, 2 hash signatures are getting created. Why?

Thanks

Answer 1

Hello,

When you use 'mage' to sign a manifest file, two hash signatures are created because the manifest file contains two different types of content: the manifest itself and the files that it references. The first hash signature is created for the manifest file itself, while the second hash signature is created for the referenced files. This is done to ensure the integrity of both the manifest file and the referenced files, and to prevent any tampering with the contents of the manifest or the referenced files.

Best Regards,

Hania Lian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hello,

If you’re seeing two hash signatures being created, it could be due to a couple of reasons:

Multiple Certificates: If there are multiple certificates that match the provided fingerprint, might be signing the manifest with each one, resulting in multiple hash signatures.

Manifest Types: There are two types of manifests in ClickOnce deployment: the deployment manifest and the application manifest. If you’re signing both, you might see two hash signatures as a result.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.