Delay sign with clickonce

Question

I have a ClickOnce application that relies on delay signed (with .pfx) assemblies. I currently rely on the Publish target of my project to create my ClickOnce deployment and would like to keep it that way if possible (avoid mage).

My problem is that the packaged assemblies are still delay signed because when publish runs I haven't had the chance to run "sn -Rc ...". Is there a way to hook into the Publish target to sign my assemblies after it builds/rebuilds. I could also sign the assemblies before the publish if publish didn't trigger a build.

Any suggestions?

Some leads that I'm not sure how to pursue: - sign assemblies in the .deploy files - re use the .manifest and .application files generated by the publish target to create new deployment with signed assemblies

In summary: How can I re use (with or without mage) the .manifest/.application generated by the publish target to create a new deployment? Same files, some slightly different.

Thanks, Benoit

Answer 1

My problem is that the packaged assemblies are still delay signed because when publish runs I haven't had the chance to run "sn -Rc ...". Is there a way to hook into the Publish target to sign my assemblies after it builds/rebuilds.

I'm pretty late on this, but i recently ran into this too and managed to insert a task into the MSBuild that fully signs the assemblies (not the manifests) directly after the build task. So the resigning is done before publishing.

I will quote the relevant lines of the .targets file below:

  <PropertyGroup Label="ProjectInfo">
    <AssemblyExtension Condition="'$(OutputType)' == 'Library'">.dll</AssemblyExtension>
    <AssemblyExtension Condition="'$(OutputType)' == 'WinExe'">.exe</AssemblyExtension>
    <AssemblyExtension Condition="'$(OutputType)' == 'Exe'">.exe</AssemblyExtension>
  </PropertyGroup>

  <PropertyGroup Label="Signing">
    <!-- the build server keeps the private key a secret; the path to the key file also containing 
         the private key is injected via build server environment -->
    <StrongNameKeyFile>$(STRONG_NAME_KEY)</StrongNameKeyFile>
    <IsBuildServer>$(BUILDSRV)</IsBuildServer>
  </PropertyGroup>

  <Target Name="Hook_AfterBuild" AfterTargets="AfterBuild">
  </Target>

  <!-- Fully sign the delay signed assembly on the build server -->
  <Target Name="FullySignAssembly" AfterTargets="Hook_AfterBuild"
          Condition=" '$(IsBuildServer)' == 'true' And '$(DelaySign)' == 'true' And '$(SignAssembly)' == 'true' ">
    <Exec Command="sn.exe -Ra $(OutputPath)$(AssemblyName)$(AssemblyExtension) $(StrongNameKeyFile)"/>
  </Target>

Answer 2

Just curious, what's your problem with using mage? This is what it's designed to do, and it's easy to re-sign your deployment. Here is an article showing how to do that.

If you don't want to use mage, you can check out the MMU application that Patterns and Practices provides, it's here: You can look at the code for this; it creates the deployment package programmatically.

Publish always does a build, there's nothing you can do to stop it (many have tried!).

If you want to add files to your deployment after creating the publishing package, check out "option 2" on the bottom of this page. IIRC, "Automatic" means using MMU; manual means using Mage or MageUI.