We have Word 2010 add-ins that we have been distributing with our software for some time without problems. However since we renewed our code signing certificate, we can't deploy any of our add-ins anymore. It always fails with the following exception:
System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file:///C:/Users/abcd/Documents/Visual%20Studio%202012/Projects/WordAddIn1/bin/Debug/WordAddIn1.vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags)
at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
--- End of inner exception stack trace ---
at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
--- End of inner exception stack trace ---
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
We've pinpointed the problem to the fact that the new certificate is with sha256RSA signature algorithm, while the old one was with sha1RSA. We use that new certificate to sign executable and MSIs as well without any problems. Putting the old cert back
(still valid two weeks) works as well.
By reproducing the problem to its simple form, we found out simply creating a new Word 2010 add-in from Visual Studio and setting the signing to our new certificate is sufficient for the VSTO to be unusable on all computers,including on the development machine that just built it (however launching it via F5 in VS2012 works).
Creating a simple C# application and configuring ClickOnce deployment for it using the same certificate does not present any problem, it only occurs with VSTO deployment.
The setup on the development machine is the following:
- Visual Studio 2012 (therefore .NET 4.5 installed)
- Office 2010 SP2 (x86)
- Visual Studio 2010 Tools for Office Runtime (version 10.0.40303)
- A valid code signing certificate with sha256RSA signature algorithm
While the problem seems similar to http://social.msdn.microsoft.com/Forums/windows/en-US/eba424ae-f7b7-4530-bb68-db3b9972a31e/ , it is different in that we already have .NET 4.5 deployed everywhere, and it fails on the development machine as well.
In addition, after a much more detailed investigation, it seems that the VSTOInstallerapplication always perform the deployment using the .NET 3.5 runtime instead of .NET 4.0. Indeed, looking at the loaded DLL/assemblies in VSTOInstaller.exe when it is displaying the error, Process Explorer shows that it loaded the 2.0 runtime instead of the 4.0. Maybe that explains why it fails on sha256 signatures, no matter what.
Is there a known workaround to that problem? What can we do except get another sha1RSA certificate?