I write SL5 application. I signed with thawte code sign certificate. I set registery that allow run inside browser.
When I check haselevationpermission I got false. If I install certificate in trusted puplishers I got true.
But my application will be used by enduser and I can't tell them "install this certificate into Trusted publishers"
What is wrong?
Any advice?
You shouldn't have to tell them to install into Trusted publishers, as the root certificate should already be there for Thawte. Try installing on a different machine and see if you get the same results.
When installing OOB with a valid cert, the install dialogs will look different than with an invalid cert. Does it look like a valid cert, or not when you install? It should of course.
Also, make sure you check the "Require elevated trust when running outside the browser" checkbox in the OOB settings.
Greg
I tested it on 3 different machine (win 7 , Window server 2008 and windows 8)
In certificate Manager, Trusted publisher list is empty.
When I install OOB, Cert seems valid. (It shows Company Name as well)
I also check Require elevated trust when running outside the browser and in browser.
Related
I am working on a WPF App but could not make it as a trusted App after publishing it with clickonce. I looked many post with similar issues, signed the clickonce manifest, installed certificate, created test certificate and finally made the App trusted by my own computer. However, when I install the App on other computers, it is still not trusted by those machines. Does it mean I should ask every user who use my App install the same certificate (.cer file) first? But even after installing the certificate and recognizing the publisher name, some computers still prompt security alert like "Windows protected your PC".
So I wondered, how it works when the computer system recognize trusted/unknown publisher? As my App is not a commercial product, and it runs offline most of the time (I only have a MySql database on a CPanel provided by Godaddy to store user login information and some user input data), so besides purchasing a valid certificate, is there is any other way to work around? If there is, what are the appropriate ways to do it?
Can anyone explain a little bit or provide any source? Thanks in advance!
The certificate that was used to sign the ClickOnce application must be configured in the Trusted Publishers certificate store on all user machines.
Also the certificate must be purchased from a trusted authority that is a member of the Microsoft Trusted Root Certificate Program: https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx
Please refer to the following link for more information about this.
WPF Application Deployment using ClickOnce with trust certificate
You mentioned "Windows protected your PC" so we're most probably talking about a SmartScreen issue here. RobinDotNet explained the oddities of ClickOnce and Windows SmartScreen in all detail in her blog posts Windows 8 and ClickOnce : the definitive answer and Windows 8 and ClickOnce : the definitive answer revisited.
As mm8 pointed out in his answer you need a certificate from a valid Certificate Authority.
Besides signing the manifests you need to sign the application executable as well. Since you have a WPF application you will have to do this AfterCompile (at least this was true for VS2012).
My favourite part: You need to earn some magical reputation by people selecting the "Run anyway" option. For our ClickOnce application the SmartScreen message went away after a few days.
How do I make the warning go away that my app is unsafe to install when side loading?
Do I have to create a certificate? This app is never intended to be released in the Windows Store. I read on MSDN that there is a test certificate shipped with every VS project, so not sure why this warning exists.
How do I make the warning go away that my app is unsafe to install when side loading?
I think there is no way to make it go away.
Do I have to create a certificate?
Yes, otherwise it will fail when you package your UWP apps. And if the certificate is not installed on your device, your app cannot be installed in sideload mode.
so not sure why this warning exists.
Because our test certificate is not a microsoft trusted certificate, certification is used for recognizing the developer of this app, for sideload, we only need a self-trusted certificate or a business uniform pfx.
Update: Where to choose the certificate:
If a certificate is from a CA (e.g. GoDaddy, Verisign), does the certificate need to be installed on a client machine?
I have a SilverLight application that needs elevated privileges and will be installed on numerous client sites. I'm also trying to minimize the installation at each of the sites (100s of deployments per site with the application hosted locally at each site).
I believe the registry changes can be deployed via a group policy update.
If the certificate still needs to be deployed, is there a value of having a certificate from a CA over a self-signed application when the primary goal is minimizing local site administration?
Yes, if a certificate is from a CA, the certificate does need to be installed on the client machine. That said however, Microsoft does already install many root certificates as well as keeps this list up to date with Root Certificate updates. See the Root Certificate Membership List
GoDaddy and Verisign are currently apart of this list, so doing an extra step should be unnecessary on a computer which is up-to-date. This is not always the case, so it still might be required on some machines.
All that said, to run Silverlight in elevated privilege mode, the user must simply click that they 'trust' the application at install time. See MSDN Trusted Applications
Taking the time of getting a signature from a CA only buys your user's a bit of extra peace of mind when the click the button as
They will see this:
Instead of:
If the goal is minimizing local site administration, then I don't see that going through the trouble of getting a certificate to sign your application would meet that goal, its only there to help provide some security for your users, which doesn't sound like it would be an issue.
sorry for my bad english (and for the newbie question) - I have a silverlight 4 OOB application that requires Elevated Trust to run. The CheckAndDownloadUpdateAsync only works in this case if my xap is signed. There is a problem if I deploy my app using the "test certificate" that I can create on VisualStudio? The CheckAndDownloadUpdateAsync works fine and I prefer not do buy a certificate only for this... also, what will happen when the certificate expires? Would the user have to go to my page and explicitly update the app since it would be a new (renewed) certificate?
Also, what kind of certificate I would need to buy for this and what advantages do I have doing so?
You can deploy without any issues using the test certificate as you have done. The drawback of using a test certificate over one you purchase really is just what appears in the UAC dialog when the user installs the OOB application. With a test certificate, it tell the user that "unknown publisher" is trying to install software, whereas with a purchased certificate, your company name will show up. Depending on your user base this may or may not be important.
As for what happens when the certificate expires, you can renew the certificate and re-deploy your XAP. These renewal instructions should work (even though they are talking about ClickOnce and not silverlight, the same principles apply).
In silverlight5 beta, it supports trust application which allows loading local files. I tried and it works fantastic in both OOB and in browser mode. One question is that, when put my cap on the server, it works fine in OOB mode but doesn't work in browser. I think debugging locally and deployment is different. Is there a way to request the trust in browser as I tried locally?
Thanks,
HowardÂ
There are a number of steps needed:-
The XAP needs to be signed using a code-signing certificate
Then on the client machine
A tweak to the registry on the client machine that needs to run a trusted app inbrowser
The code signing certificate then needs to be installed on the client machine.
Those last two in a real world deployment would be configured using a Group Policy.
See the Beta document topic How to: Enable Trusted Applications to Run Inside the Browser.