What needs to be signed, when signing a WPF app?

Question

What needs to be signed, when signing a WPF app?

Rod At Work 866

I'm working on converting a TFS build and release of a WPF app, to bring it to Azure DevOps Services Pipelines. The fellow who authored the original PowerShell code for signing our WPF ClickOnce release, made it so that it signed all .exe and .dll files.

I've got the Azure build pipeline successfully signing the WPF .exe file. I wanted to watch the progress of the build. I saw that it was signing every .dll we have in the project. Due to the NuGet packages we're including, and all the the dependencies those NuGet packages require, the build pipeline is signing over 100 .dlls. That seems excessive.

But I don't know. I just took it by faith that my former colleague knew what he was doing, when he had the PowerShell code, he wrote look for all .dll and .exe and sign everything. I've translated what he wrote into YAML but was sure to keep his logic in place. But now, I don't know if that's the correct approach or in. In fact, I don't really know what needs to be signed in a WPF ClickOnce application. So, that's my question to you. In a ClickOnce Windows application, what must be signed?

1 answer

Your answer

Answer 1

Signing is an optional step for ClickOnce Windows application, you could get below description from Secure ClickOnce applications

ClickOnce uses certificates to verify the authenticity of the application's publisher, and to sign the application and deployment manifests to prove that the files have not been tampered with. Signing is an optional step, which makes it easier to change the application files after the manifests are generated. However, without signed manifests, it is difficult to ensure that the application installer is not tampered in man-in-the-middle security attacks. For this reason, we recommend that you sign your application and deployment manifests to help secure your applications.

If you sign your app, you need know that there are various types of Authenticode certificates. Each one is configured for different types of signing. For ClickOnce applications, you must have an Authenticode certificate that is valid for code signing. If you attempt to sign a ClickOnce application with another type of certificate, such as a digital e-mail certificate, it will not work. Derive from ClickOnce and Authenticode.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Rod At Work 866 Reputation points

2021-06-07T14:48:18.513+00:00

Good points, @DaisyTian-MSFT. At my old job not signing the assemblies was the direction we took. That was an acceptable practice, at my old job.

In my current job it is not an acceptable practice to not sign an assembly. However, in my position I am not allowed to get a certificate. Instead, I must make a former request (which I did) to have a certificate purchased that will allow me to sign the .NET assembly. I trust they've done the right thing. Looking over the Azure DevOps Service log, it certainly appears to me that they did.

Share via

What needs to be signed, when signing a WPF app?

1 answer

Your answer