WPF Clickonce update failing - Why is Trust Not Granted? - wpf

Trying to get a ClickOnce application to work correctly, but I keep encountering the "Trust Not Granted" exceptions, and I'm not yet seeing why this is happening.
The EXE is signed with a code signing certificate from VeriSign, both by setting the "Sign the ClickOnce manifests" option in the Signing tab, as well as implementing the pre-publish approach metioned here: http://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/ . I have verified that the certificate is installed on the client machine correctly. I have verified that my EXE is signed after the build as well.
I have taken the same approach with setting explicit trusts as this StackOverflow answer: https://stackoverflow.com/a/16816341/97879
I am presently deploying to a network share, and that is the expected path for updates until we're prepared to take this application to production.
My application can see that there is an update available, but then fails when trying to update. This happens the same way on both Windows 7 and 8 machines.
What am I missing?

Related

How can i generate windows certificate so my msi doesn't shows warning to users [duplicate]

This question already has answers here:
How can I stop my installer from triggering Windows 10's "This app has been blocked for your protection" error?
(2 answers)
Closed 3 years ago.
I am new to windows development. I packed my project into a msi setup to install on other systems but when I open the msi in any system it shows a warning as attached . How can I remove this warning?
Note: Be sure to check if your organization already has an EV-level certificate? Just a few emails or phone calls might be wise before trying to research the purchase process?
Trust & Reputation: What you really need is an EV code-signing certificate. Microsoft's SmartScreen feature
in Windows (which is what you see with that blue prompt) is a
reputation-based system where unknown binaries are flagged as unsafe until they are validated safe by users in actual use.
Virustotal.com: An EV code-signing certificate "buys trust outright" - interesting concept - and should allow your users to not see such a prompt even for brand new binaries. Make sure to check all your binaries using virustotal.com though, as many malware-scanner detections can trigger a resurged smartscreen warning for any binary - which is what it is for (signed malware is still malware).
False Positives: False positives for malware is a huge problem since you have to deal with it and solve it, and you can't just tell your users to rebuild their PC and try again.
Moral: The moral of the story is to use Virustotal.com to test for both malware and false positives in your binaries and files for distribution, and to use an EV-level certificate for serious software distribution to get trust for your binaries outright (without delay). An EV-level certificate is not a silver bullet. Problems can still be seen. Trust can be lost too, not just gained (trust... hard to earn, easy to lose).
Tip: A properly signed MSI will also show up with the correct name in the UAC prompt: Installshield Custom Dialogue Installer (see screen shot and then the answer a bit down the page).
The Far Side Perspective: "Be sure that your setup is malware free or an applied digital certificate is proof positive that you delivered the malware" (until that is hackable too) :-)
We do our best.
Link:
How to protect MSI against modification (on malware and false positives - recommended)
How to add publisher in Installshield 2018
How to pass the Windows Defender SmartScreen Protection?

Diagnosing why a custom shell on Windows 10 IoT gives black screen

I am configuring Windows 10 Enterprise (IoT) to run a custom shell, but running into the "Black screen with nothing other than a cursor" phenomena.
My application - a .Net4 Winforms app - is installed and runs fine from the desktop.
I can launch it as a custom shell via a batch file as per the comments here: How to run an application as shell replacement on Windows 10 Enterprise
But setting my app as a custom shell, I just get the black screen.
I note the comments in the above link about applications being signed, but I have tried two mini test applications (also .net winforms), one signed, one not, and both run fine as custom shells. (My application has several dependencies, not all of which are signed, so to sign it would mean going through the ILMerge mill or similar which I would rather avoid if I can.)
I don't expect people to be able to tell me why my app doesn't run (although that would be nice!) but I am looking for ways of diagnosing this. Looking in event logs, etc, is yielding no information whatsoever. My app keeps its own event log, which is not showing any evidence of the app starting.
Thanks in advance
Problem solved:
If a shell application requires elevated permissions, UAC must be turned off. Turning off notifications via the control panel is NOT sufficient, as UAC is still running in the background - it just doesn't notify you! To completely turn off UAC, edit registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and set the DWORD value EnableLUA to 0
Evidence of UAC behaviour can be found in the windows event log at:
Applications And Services Logs -> Microsoft -> Windows ->UAC

ClickOnce issue with Corporate IT client

So I am having some difficulty with our WPF ClickOnce deployment. I knew that we would run into issues when our clients from coporations with complex IT policies started installing. Up to this point, I have not had an issue. The application itself has a prerequisite of .NET 4.5 – which I know requires administrator privileges. Here is the error that the client is sending to me:
“C:\documents and settings\gdevlin\local settings\Temporary Internet Files\content.ie5\9wkrp310\setup[1].exe
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”
Seems pretty obvious to me. They have of course consulted their IT dept and they confirm that there should be no problems and that they have sufficient permissions. They did note that the setup.exe file is empty – that file should be around 430 kb.

Do you want the application to accept incoming network connection?

I have two C binaries which tries to open network connection for communication.
This is for external communication. When i run that for the first time, OS X' firewall pops up the message as given in title. How can I get rid of this?
I suspect this is related to code-signing? How to do code-sign this binary?
Basically I have to build this binary in one Mac machine, and distribute outside app store.
How can I get rid of the firewall pop up if the OS X firewall is enabled in the machine?
You can resolve this by signing the offending application binary yourself.
Disclaimer: Signing an application yourself will make an application appear more
secure to the operating system, when in reality it isn’t. Only sign applications
that you are 100% sure are not spyware or otherwise malicious. If you have any
doubts, just uninstall/reinstall.
Part 1: Create a Signing Identity
The solution I’m going for – signing the app myself – requires that I create a Signing Identity, also known as Signing Certificate. This is very easy to do:
Open Applications > Utilities > Keychain Access.
From the Keychain Access menu, choose Certificate Assistant > Create a Certificate.
Fill in a name for the certificate. This name appears in the Keychain Access utility as the name of the certificate. This is also the name you will use when referencing this certificate. Personally, I used the name, “My Signing Identity.”
Choose Code Signing from the Certificate Type menu.
Choose Self Signed Root from the Type popup menu.
Check the Let me override defaults checkbox.
Click Continue.
Specify a serial number for the certificate. Any number will do as long as you have no other certificate with the same name and serial number.
Click Continue.
Fill in the information for the certificate. You can use real or fake data, I used real data personally.
Click Continue.
Accept the defaults for the rest of the dialogs.
Once completed, you will see your certificate in Keychain Access. Verify the name you picked, and you’re done with this step. Well done!
Step 2: (Re-)Sign your application
Now you have to sign your application. To do this, open up Terminal again and use the following command:
codesign -s "My Signing Identity" -f /path/to/your/binary/app
A dialog will appear, click "Allow".
Now start your application again. You will get the accept incoming connections dialog one last time. Click "Allow".
From now on you should no longer get the warnings anymore! Now it is possible to enjoy the security of your firewall being active without the inconvenience of having to click "allow" constantly.
Credit: The original source which served as a starting place for this updated and annotated solution guide was http://silvanolte.com/blog/2011/01/18/do-you-want-the-application-to-accept-incoming-network-connections/
In my case this alert appeared when i run Python project from PyCharm after updating MacOS to 10.15 Cataline. I fixed it with
codesign -vvv /Applications/PyCharm.app/
I was trying to apply this solution to fix python as used by Arduino OTA, I found another solution describing self-signing the app that stated $(which python) as the file path to sign, but in my case that resolved to /usr/bin/python. Self-signing this not only required I drop to Rootless mode to allow writing to /usr/bin, but when I went back and tested it, python was STILL asking for permission to allow incoming connections!
The correct python file to self-sign is in fact (in my case at least) /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app
Once I self-signed this correct file path, the Arduino OTA process no longer required me clicking allow incoming connections - Hoorah!
Hope that helps someone.

IIS related System.ExecutionEngineException

After too many hours of research I have come up with nothing to solve this problem.
I am running a WPF program in an .xbap page file being hosted on internet explorer. Running the project in Visual Studio 2010 works just fine and generates no errors.
I want to be able to host the webpage on IIS 7.0 and to browse to it with a windows forms application. To test this I created a new website on port 80 in IIS manager. I then published the project to the local website folder and added the autogenerated project certificate file (projectName_TemporaryKey.pfx) to my Trusted Publishers and Trusted Root Certification Authorities.
My problem is this: whenever I try to browse to the file with internet explorer or with my windows forms program, the wpf program stops working. When pulling up the just-in-time debugger, I am informed that there is a System.ExecutionEngineException but am given no source code, no stack trace, and no data outside of an empty Dictionary enumerable. My guess is that this might have something to do with the database call made in the program to another machine, but I can't prove that.
I've tried several things to solve this including repairing my .NET 4.0 framework and altering permissions but nothing seems to be affect the error.
Does anyone know of a way to get more information on this error, or perhaps a step I may have missed when publishing this project?
Thanks very much.
Some things to check:
Windows event log often includes additional exception information (although usually in an awful format)
Output some trace information from your application so you can follow what's happening
Try attaching a debugger to the WPFHost and then stepping through the code

Resources