I have a ClickOnce app that I am updated to be deployed using a modern deployment Jenkins Pipeline with MSBuild. Part of this effort is signing the .manifest and .application files.
Previously we used <SignFile> with MSBuild to sign these, using certificates that were installed in the user's personal store on the build machine. It worked with:
<SignFile SigningTarget="MyApp.exe.manifest"
CertificateThumbprint="1a 9f ..."
TimestampUrl="http://timestamp.verisign.com/scripts/timstamp.dll" />
<SignFile SigningTarget="MyApp.application"
CertificateThumbprint="1a 9f ..."
TimestampUrl="http://timestamp.verisign.com/scripts/timstamp.dll" />
However, in the 21st century we prefer to have everything we need to build either in version control or available in a secret store via an API, so that we no longer depend on the build server to be in a certain state.
So how can we use SignFile to sign a ClickOnce manifest and application without the certificate needing to be installed? Or am I not thinking about this right?
If there is a better way than using <SignFile>, let me know--as far as I can tell, SignTool.exe and Mage.exe both require the certificate to be installed as well.
It seems like the old mage.exe is more full-featured than SignTool.
So I copied mage.exe to my project dependencies folder from
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools, then in MSBuild, this worked for me:Then I did something very similar to that for the deployment manifest (.application) file.
Apparently the newer versions of mage.exe can indeed support SHA-256, contrary to some web pages I found on the topic (perhaps they were older).