How to: Sign Application and Deployment Manifests

In order to publish an application by using ClickOnce deployment, the application and deployment manifests must be strong-named with a public/private key pair and signed using Authenticode technology. You can sign the manifests by using a certificate from the Windows certificate store or a key file.

Starting in Visual Studio 2008 SP1, signing the ClickOnce manifests is optional. For more information, see the "Generating Unsigned Manifests" section of this document.

For information about creating key files, see How to: Create a Public/Private Key Pair.

Note

Visual Studio supports only Personal Information Exchange (PFX) key files that have the .pfx extension. However, you can select other types of certificates from the current user's Windows certificate store using the Select a Certificate Dialog Box to sign your manifest.

You can sign your application and deployment manifests by using the options in the Signing page of the Project Designer. For more information, see Signing Page, Project Designer.

The following procedures apply to signing the application and deployment manifests only. If you want to sign the assembly, see How to: Sign an Assembly (Visual Studio).

To access the Signing page

1. With the project node selected in Solution Explorer, from the Project menu, click Properties (or right-click the project node in Solution Explorer, and click Properties).

2. In the Project Designer, click the Signing tab.

To sign application and deployment manifests using a certificate

1. On the Signing page, select the Sign the ClickOnce manifests check box.

2. Click the Select from Store button.

   The Select a Certificate Dialog Box appears and displays the contents of the Windows certificate store.

3. Select the certificate that you want to use to sign the manifests.

4. Additionally, you can specify the address of a timestamp server in the Timestamp server URL text box. This is a server that provides a timestamp specifying when the manifest was signed.

To sign application and deployment manifests using an existing key file

1. On the Signing page, select the Sign the ClickOnce manifests check box.

2. Click the Select from File button.

   The Select File dialog box appears.

3. In the Select File dialog box, browse to the location of the key file (.pfx) that you want to use, and then click Open.

   Note

   This option supports only files that have the .pfx extension. If you have a key file or certificate in another format, store it in the Windows certificate store and select the certificate is described in the previous procedure. The selected certificate's purpose should include code signing.

   The Enter Password to Open File Dialog Box appears. (If the .pfx file is already stored in your Windows certificate store, or is not password protected, you will not be prompted to enter a password.)

4. Enter the password to access the key file, and press ENTER.

To sign application and deployment manifests using a test certificate

1. On the Signing page, select the Sign the ClickOnce manifests check box.

2. To create a new certificate for testing, click the Create Test Certificate button.

3. In the Create Test Certificate Dialog Box, enter a password to help secure your test certificate.

Generating Unsigned Manifests

Starting in Visual Studio 2008 SP1, signing the ClickOnce manifests is optional. The following procedures show how to generate unsigned ClickOnce manifests.

Note

By default, ClickOnce automatically generates signed manifests unless one or more files are specifically excluded from the generated hash. In other words, if all files are included in the hash and the Sign the ClickOnce manifests check box is cleared, publishing the application will result in signed manifests.

To generate unsigned manifests and include all files in the generated hash

1. To generate unsigned manifests that include all files in the hash, you must first publish the application together with signed manifests. Therefore, first sign the ClickOnce manifests by following one of the previous procedures, and then publish the application.

2. On the Signing page, clear the Sign the ClickOnce manifests check box.

3. Reset the publish version so that only one version of your application is available. By default, Visual Studio automatically increments the revision number of the publish version every time that you publish an application. For more information, see How to: Set the ClickOnce Publish Version.

4. Publish the application.

To generate unsigned manifests and exclude one or more files from the generated hash

1. On the Signing page, clear the Sign the ClickOnce manifests check box.

2. Open the Application Files dialog box and set the Hash to Exclude for the files that you want to exclude from the generated hash.

   Note

   Excluding a file from the hash configures ClickOnce to disable automatic signing of the manifests, so you do not need to first publish with signed manifests as shown in the previous procedure.

3. Publish the application.

See Also

Tasks

How to: Create a Public/Private Key Pair

How to: Delay Sign an Assembly (Visual Studio)

Concepts

Strong-Named Assemblies

Reference

Signing Page, Project Designer

Other Resources

Signing ClickOnce Manifests

ClickOnce Deployment

Change History

Date	History	Reason
July 2008	Added information about generating unsigned manifests.	SP1 feature change.