VB 2005 / New Dev PC, how do I install/fix my Certificate/digital signature so I can publish my updated applications?

BackGround:  I write applications for the business where I work.  I install the apps myself and they never leave the building.  Hence, I couldn't care less about certificates and their provided security.  I just want to simply compile and update my apps and have them install without all the security overhead hassle.

I'm using VB 2005 (but starting to use VB 2013 so the solution will need to apply there as well) and use ClickOnce installs.

In 2010 I used programs makecert.exe and pvk2pfx.exe to make my .cer, .pvk., and .pfx files.  I created them on my Windows XP 32bit developement PC.  I have been using the certificate to "Sign my ClickOnce Manifests" since then and it has worked fine.

Just this month I upgraded my developement PC to Windows 7 64bit.  I updated a VB 2005 app and went to Publish it and got the error:

" Error 8 SignTool reported an error 'Failed to sign bin\Release\TrimPick.publish\\setup.exe. SignTool Error:  ISignedCode::Sign returned error: 0x800B010A

A certificate chain could not be built to a trusted root authority.

SignTool Error: An error occurred while attempting to sign: bin\Release\TrimPick.publish\\setup.exe'. TrimPick"

So I went to my .pfx file, right-clicked it and selected "Install PFX".  Then I went to my .cer file, right-clicked it and "Install Certificate".  I deleted my .pfx from my project, went to project Signing and "Select from file..." my .pfx file and added it back.   I tried Publishing again and still got the same error.

When I go into Signing and look at "More Details" on Cerificate "General" tab it says, "The integrity of this certificate cannot be guaranteed.  The certificate may be corrupted or may have been altered.".  When I look on the "Certification Path" tab the Certification status says "This certificate has an invalid digital signature.".

It is like something is not setup on my new PC correctly.  How can I fix this so I can continue to publish my programs?

Any help in this matter would be greatly appreciated.  Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jacques Bourgeois (James Burger)PresidentCommented:
Did you export your certificate from the old environment to the new? If not, you might be out of luck. You cannot change the signature on a project once it has been signed. The only solution is to create a new solution/project, import the code files, recreate the references, recompile.


You no longer need to sign the certificate in 2010 ClickOnce installations. Since the distribution is in-house and you say you are controlling everything, you might try to simply let go of the signature on the manifest. In my experience, for that to work however, the users will have to uninstall their application first, and then reinstall the new unsigned version. After that, it's update as usual.
sqdperuAuthor Commented:

Thanks for the response.  

If there is some sort of "export" method, I dont believe I did that.   I just copied my  .cer and .pfx files to new PC and right-clicked them and tried to "install" them.  Then went to project Signing and "Select from file..." my .pfx file to add it.

So on all my .net 2005 apps I have to "create a new solution/project, import the code files, recreate the references, recompile."?   Also, I will have to create a brand new files with makecert.exe and pvk2pfx.exe to make my .cer, .pvk., and .pfx files to use with them right?   Because my current Certification status says "This certificate has an invalid digital signature.".

Also so I know going forward, are you saying in any app I developement in .net 2013, on the Project Signing tab I can uncheck the "Sign the ClickOnce manifests" box and be rid of this whole hassle for good?

sqdperuAuthor Commented:

Also the PC I'm on (my dev PC) was XP and corporate updated it to Windows 7 (same PC) and copied a lot of settings and files back over after the update.   Is it possible I could still do the "Export" process (data still may be there)?  If so, how do I do that?

Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Jacques Bourgeois (James Burger)PresidentCommented:
The types of certificates that you create yourself can be used to sign applications on the computer on which they were created only. You need to go through an export and import mechanism to move them from one computer to another. The thing is done automatically when you update your computer from one version of Windows to another, but needs to be done manually if you change computers.

The easiest way to go, if you do not absolutely need the certificates (some companies force you to have signed applications) is to uncheck the signature boxes in your projects.

The project is dependent on the signature, the individual files are not. If you need them, then the only solution I have found when I made the same mistake was to create new projects, and recreate them by importing the source code files from the initial project and then recreate the needed references.
sqdperuAuthor Commented:
My company does not care about the signatures.  The programs are only used in-house and would not even work if taken outside.

To make sure I understand.

I can only uncheck the signature box on my VS20013 apps, correct?

But MS forces my to use signatures on VS2005 apps?

Even if I recreate my VS2005 apps.,  I still will have to have a valid signature won't I?  
In desparation I have tried again what I did originally to create my own certificates that worked in the past:

makecert -sv MyPrvtKey.pvk -n "CN=CompanyName" MyCert.cer -b 01/01/2005 -e 07/15/2050

pvk2pfx -pvk MyPrvtKey.pvk -spc MyCert.cer -pfx MyPFX.pfx -po MyPWpfx

I then right-clicked the .cer and .pfx files and installed them to the default (auto) locations.

Unfortunately, when I look on the "Certification Path" tab the Certification status still says "This certificate has an invalid digital signature.".    :(

Thanks James.
Jacques Bourgeois (James Burger)PresidentCommented:
There has been a change, in version 2008 if my memory is good. Since ClickOnce is use mostly in-house and many programmers did no understand how to properly work with signatures, they removed the need to sign ClickOnce manifests and applications in more recent versions of the Framework. But it was needed in 2005.

Creating a new certificate is no good, you need to import the original one.

This is security here. if somebody could get its hand on your code, he would get your signature, since the signature if is there with the source code. He could modify the code to do bad things, distribute it as an update and it would compromise the security. So the signature becomes part of the application and cannot be changed during its life.

The signature is used by the Framework to identify the application. Think of it as if it was your own personal signature. Suppose somebody get its hands on your checkbook. Your handwritten signature is what prevents him from using it. The same thing apply for digital signature, but with an extra level of security, it's almost impossible to copy a digital signature, because of the extra levels of security.

Before embarking in any security feature, you have to make sure that you understand it properly, which you did not do, as do a lot of programmers. So you do not have an exported copy of your signature to work with.
sqdperuAuthor Commented:
I do not understand the security of all this for sure.    

So it sounds like I'm good to go for any new apps I create in VS2013 - I can just avoid the whole mess by unchecking the signing of the manifests.

But as far as my VS2005 apps. I don't know how to proceed forward.  I understand how you told me to create/recreate and new project, import code, etc.  What I don't understand is how to create a good Certificate/Signature - as the way I did it originally seems to now create bad files.

Any guidance on how I can create a good files (since they seem to be mandatory) to use with my "recreated" VS2005 programs"?

Thanks Jame for all your help.   I really appreciate it.
Jacques Bourgeois (James Burger)PresidentCommented:
Work as an administrator on your station.

In the Signing tab of the project's properties, under "Choose a strong name key file" (the label can be a little different, I do not have 2005 installed anymore), you can create a new certificate. Make sure to select the option with a password when required for a file name. And BE CAREFUL while going through the few forms in the creation process, there is a checkbox somewhere that you need to check so that the certificate will be exportable.

This will create a .pfx file in your projects root directory. This is usually sufficient, but depending on the level of security on the server, it might not work. If this is the case, ask your administrators. The certificate is usually registered automatically on your development station, but I have seen a few instances where I had to double click on it as you probably did with the .cer to register it. Use that same file for all your projects, so you won't mess things up.

Note that you will probably not be able to sign your old project with it, since the old project is locked with your old signature. You will have to recreate a new project and import your source code to be able to use the new signature.

To prevent problems in the future, should you need move the project, be sure to export the certificate as described here. You will be able to identify your certificate in the certificate store by the date. It will be the same day and month as the day you created it, with a few years added.

Copy the resulting file in safe place. If your project eventually moves to another computer, use that file to import the certificate on the new computer.
sqdperuAuthor Commented:
Thanks James for all your time and help.  I will give all this a try and see what happens.  Thanks.
sqdperuAuthor Commented:
I created a new version of my program, "Add existing item" to pull in all my code files, etc. and added references..  

I created new Certificate as instructed here:  http://msdn.microsoft.com/en-us/library/ff369721.aspx
All succeeded.

Did a "Select from file..." as it instructs.  When I click "More Details..."  I don't get the message the instructions get.  Instead on Cerificate "General" tab it still says, "The integrity of this certificate cannot be guaranteed.  The certificate may be corrupted or may have been altered.".  When I look on the "Certification Path" tab the Certification status still says "This certificate has an invalid digital signature.".

I'm starting to wonder if it has nothing to do with my VB2005 app and something else is messed up in Windows.  The problem is I have no idea how to determine what that is and why it creates invalid digital signatures.   I tried both the 32bit and 64bit versions of the MakeCert program.   My previous XP OS was 32bit.  My current OS is Win 7 64bit.
Jacques Bourgeois (James Burger)PresidentCommented:
Instead of using MakeCert directly, did you try creating a certificate through the Visual Studio interface as I pointed to, by selecting New Under "Choose a strong name key file" in the Signing tab of the project's Properties window.

Were you logged in as an administrator when you created the certificate?

Have you tried adding it with a double click on the .pfx file?

These are the steps I use, and they have for me at many customers locations. I did move from XP 32-bit to Win 7 64-bit and then Windows 8 and then Windows 8.1 without any problem on my main development computer.
sqdperuAuthor Commented:
I went the MakeCert method because I wanted to make the expiration date 35 years out.

Yes, I am logged in as an administrator on PC.  That is how corp.  has it set up.

No, I have not tried double-clicking  on the .pfx.  

I will try that to see if it makes a difference.

sqdperuAuthor Commented:
The Certification Path says at the bottom:
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

I just let it put it to the default where  it wanted (auto).  Do I need to put it ^ here too?
Jacques Bourgeois (James Burger)PresidentCommented:
Not in my experience. I always did it with the defaults, and the thing worked for me.

I am sorry, but my expertise ends there. If you have an IT staff around, ask them. They might have set the security to a level that is higher than the default.
sqdperuAuthor Commented:
Okay,  So I did what you suggested on my Original copy of my code (not the recreated one).  It compiled and published just fine!    I did get the message during the publish "The application is signed with a different key than the existing application on the server.  Do you want to overwrite it?".   I told it "yes".  I hope the was the correct answer.

(By the way, the button on Project Signing tab is "Create Test Certificate...".)

So going forward on VB2005 I guess from now on I need to "Create a test Certificate..." for each of app individually?

I see the Certification expires in a year.  Is there a way to extend that or do I have to wait for it to expire and then renew it?

I also need to look up how to do the Cert. Export you were talking about.

Jacques Bourgeois (James Burger)PresidentCommented:
A Test Certificate is OK for development, but is not supposed to be for distribution. This is not a true certificate. It is something that is use by Visual Studio so that you can simulate the use of a certificate while you are developing. You use that when you are developing for somebody that will add its own certificate later. I have never worked that way, but make sure that you test the deployment on another computer before distributing your application with signed with that certificate, you might end up having problems on the other end.

As for the expiration, I have seen a few web pages about a way to extend it, but as far as I am concerned, expired certificates continue to work properly. This is a low level certificate, so it might be that as long as it is there, Window does not care.

I am not sure that the Export will work with a test certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sqdperuAuthor Commented:
Hmm,  you said you could not remember what it was called in VS2005 Project Signing tab so I thought that is what you meant as it is the only option available to create a certificate.  (The only buttons are "Select from Store...", "Select from File...", and "Create Test Certificate...", and "More Details...".  So I had no choice but to go with the Test certificate it I was to build it from within VB2005.  Also, it is what the link I attached earlier was doing.)

I didn't know you could just ignore expired certificates and everything would still work fine.  Good to know.

I tested the install update on my "test PC" and it worked fine.   I then installed it in production and is working.  Now if the Test Cert. is a timebomb that will stop working because it is a test - I don't know.

Well, in CertMgr I can find some with no names that I expire a year from today.  I exported the most recent one.
Jacques Bourgeois (James Burger)PresidentCommented:
Happy to see that you have something that works.

Good luck for the future.

Once you move to a newer version of Visual Studio, things will be easier.
sqdperuAuthor Commented:
Before I got it to work, I had already submitted for a paid support call to Microsoft.  I will be communicating with them today to let them know what I have done and see if there are any pitfalls to using the Test certificate (in my situtation).  I'll let you know what they say and then accept your solution.  Thanks for all your help and pointing me down the right path.
sqdperuAuthor Commented:
I guess there are no pitfalls in using a test certificate in my situation.  I install the programs myself and are only used "in house".  So I will be doing that to avoid this incredible certificate hassle.
Also, I'm writing new programs in VB2013 and avoiding the issue all together.

Generating Unsigned Manifests
sqdperuAuthor Commented:
I thank him for taking a lot of time to help me with this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.