Main menu

ClickOnce Application,Expired Certificates & Public Key Token PART I

Well, by this time I’m sure most of the ClickOnce application developers are aware of this problem. if you aren’t here is a basic description of what the problem is:

Problem description

ClickOnce allows application updates, only if the updated application manifests are signed with the same certificate (publisher) as was used to originally sign the application manifests. However, most CA’s like Verisign, and many enterprise customers own CA’s generate new certificates with new key pairs and only the same common name (CN).

The certificate is used for the Authenticode signature element and for the strong name signature element of the manifest file to protect it against tampering, and to provide identity information for the trust manager. If the signing certificate expires and you publish an application update with a renewed certificate which has different keys, then the update will fail with the error message described in the KB article.

 

There are lots of issues, and threads are being discussed how to resolve this issue. and these are the preferable solutions available on net.

  1. Manually Uninstall and Re install the application with new certificate – which we cannot do when we have a large number of client base who are using our ClickOnce Applicaiton.
  2. Install .net Framework 2.0 SP1 for XP /  .Net Framework 3.5 SP1 for vista or later, in these service pack s for .net Framework, this bug is fixed, and it will seamlessly update the application. – but we cannot force or inform clients to do that. yeah by this time most of the users might have installed .net framework 3.5 sp1 through windows automatic updates. but even if one guy haven’t done that KABOOM!!, clients are going to complain.
  3. Sign the new click once with 2 different keys – a solution by Daniel Margetic , even though developers may like it, when considering Automation, and  Infrastructure of build servers this might not be a favorite solution.
  4. Automatically Uninstalling the old application, and re-install the new application. – a solution by Jim Harte , using this method, we will be releasing an update for the application with expired certificate, which will have scripts for automatically uninstall the applicaiton, and install the application with new certificate, from a new location. the following thread on MSDN explains this process completely:
              VS2008 SP-1 change certificate, user can’t pick up update

    The last one seems to be a favorite of most of the people around the globe. it uses these classes by  Jim Harte  to uninstall and re install the application, using the following code:

MessageBox.Show("Your Message to Client");
DeploymentUtils.UninstallMe()
DeploymentUtils.AutoInstall("<Path toNewApplication.application>");
Application.Exit();

 

you can have the new path as a sub folder of current applications update URL. you can get a ClickOnce applicaitons update URL using the line below :

ApplicationDeployment.CurrentDeployment.UpdateLocation.Host

That would do the trick. so what is it about Public Token Key ??. I will explain this in the PART 2 of this article.

Hope it helps,

Aneef

I just posted the Part II of this series is here.

Special Note:

Thanks to RobinDotNet for his wonderful support through MSDN and through his blog to solve this problem.

Aneef Fashir (39 Posts)

Software Architect @ Assette, Sri Lanka


  • Pingback: ClickOnce Application,Expired Certificates & Public Key Token PART II | Aneef.Net

  • Chris

    So the question begs, if the client has .net 3.5 sp1 on Vista, and I am distributing my code via clickonce SIGNED from a trusted authority, what happens when my cert expires? Nothing? Will the user get prompted? What happens?

  • Chris

    So the question begs, if the client has .net 3.5 sp1 on Vista, and I am distributing my code via clickonce SIGNED from a trusted authority, what happens when my cert expires? Nothing? Will the user get prompted? What happens?

  • http://www.aneef.net/ Aneef Fashir

    Chris,

    Well if user has .net 3.5 SP1 or 2.0 SP1 your application is gold to update with the new certificate. when you upgrade next time it will seamlessly update. but hope u are aware even though .net framework 3.5 sp1 is there, if your existing certificate is expired, untill you change the certificate it will show “Unknown Publisher” when you install the application.

  • http://www.aneef.net Aneef Fashir

    Chris,

    Well if user has .net 3.5 SP1 or 2.0 SP1 your application is gold to update with the new certificate. when you upgrade next time it will seamlessly update. but hope u are aware even though .net framework 3.5 sp1 is there, if your existing certificate is expired, untill you change the certificate it will show “Unknown Publisher” when you install the application.

  • Pingback: ClickOnce Application,Expired Certificates & Public Key Token PART III – Pushing .net Framework 3.5 | Aneef.Net

Tags

Archives