Trust Not Granted to Full Trust XBAP Signed With Certificate - wpf

I have an XBAP which needs Full Trust to run. I have had it working on a number of client machines by adding a temporary certificate to the Trusted Root Certification Authorities and Trusted Publishers. This is fine on a small scale, but I really don't want to have to do this on every machine where the app will be used.
I was under the impression that if I purchased a certificate from certification authority and signed the manifests with this, the app would run with Full Trust, or at least prompt the user with the option to run. This however, does not appear to be the case.
Do I still need to configure each individual machine to allow the app to run with full trust? I am hoping I have simply set it up incorrectly.
Thanks.

Related

How it works when computer recognize trusted/unknown publisher when install a WPF App?

I am working on a WPF App but could not make it as a trusted App after publishing it with clickonce. I looked many post with similar issues, signed the clickonce manifest, installed certificate, created test certificate and finally made the App trusted by my own computer. However, when I install the App on other computers, it is still not trusted by those machines. Does it mean I should ask every user who use my App install the same certificate (.cer file) first? But even after installing the certificate and recognizing the publisher name, some computers still prompt security alert like "Windows protected your PC".
So I wondered, how it works when the computer system recognize trusted/unknown publisher? As my App is not a commercial product, and it runs offline most of the time (I only have a MySql database on a CPanel provided by Godaddy to store user login information and some user input data), so besides purchasing a valid certificate, is there is any other way to work around? If there is, what are the appropriate ways to do it?
Can anyone explain a little bit or provide any source? Thanks in advance!
The certificate that was used to sign the ClickOnce application must be configured in the Trusted Publishers certificate store on all user machines.
Also the certificate must be purchased from a trusted authority that is a member of the Microsoft Trusted Root Certificate Program: https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx
Please refer to the following link for more information about this.
WPF Application Deployment using ClickOnce with trust certificate
You mentioned "Windows protected your PC" so we're most probably talking about a SmartScreen issue here. RobinDotNet explained the oddities of ClickOnce and Windows SmartScreen in all detail in her blog posts Windows 8 and ClickOnce : the definitive answer and Windows 8 and ClickOnce : the definitive answer revisited.
As mm8 pointed out in his answer you need a certificate from a valid Certificate Authority.
Besides signing the manifests you need to sign the application executable as well. Since you have a WPF application you will have to do this AfterCompile (at least this was true for VS2012).
My favourite part: You need to earn some magical reputation by people selecting the "Run anyway" option. For our ClickOnce application the SmartScreen message went away after a few days.

what is the purpose of self certificate?

i have developed a winform application in VS 2010 using c#.
Created setup and now faced "publisher unknown" situation when starting the application.
Then came to know that need to sign the application with digital certificate. But i am so confused with creating the certificate. I saw that we can create self certificates using makecert,cert2spec tools.
While creating the certificate i got a link by googling that saying "If you use a test (self-created) certificate, the installation dialogs will display an "Unknown publisher" message".
http://msdn.microsoft.com/en-us/library/ff699202.aspx
So actually what is the purpose of self certificate creation.
Pls help me to understand ths. I am new to this topic and correct me if have done anything wrong.
Thank You.
There's quite a good explanation on this page:
You can create your own signing certificate with Visual Studio (check
out the Signing tab, and that button that says “Create Test
Certificate”) or using a program called MakeCert. When you do this,
the trust dialog says the publisher is unknown. If you purchase a
certificate, the trust dialog will list your company as the publisher.
The certificate vendor basically guarantees that you are who you say
you are.
My company (GoldMail) uses ClickOnce to deploy our application from a
content delivery network to our customers, The Public. We did not want
our deployment to say “Unknown Publisher”; we wanted it to say
“Published by: GoldMail”. This gives our customers a warm cozy feeling
when installing our application from the internet, and provides
reassurance that it is coming from our company and not from some guy
living in the frozen tundra hacking deployments for fun.
If your application is going to be deployed internally, you might
choose to forego the cost of a purchased certificate, because people
would know where the application was coming from even if it didn’t
specify that on the installation dialogs. You can also choose to
install the test certificate on each user’s machine, and the trust
dialog will then show the name on the certificate as if it were one
purchased from a vendor.
You also might want to use a test certificate if you are deploying
your application for specific customers who know you and know the
application is coming from you, like if you are writing shareware, or
creating an application for your friends and family to use to keep
track of what you want for your birthday and Christmas.
Well, a Self Signed Certificate is the root certificate by which you can create child certificates, and those child certificates are authenticated against the self sign certificate, being self signed means that it holds its private key by which it was created.
For instance, when you want to use a certificate on a web site and also you want to have it verified by an authentication issuer, you ask an issuer like verisign in order to get a certificate. So when a user enters your site by https it will recognise that you own a certificate, and the way to verify that the certificate corresponds to your organization is by checking it against verisign certificate.
You can create self-signed certificates to emulate the production environment, what you will be doing is faking verisigns responsibility.

Do I need to install a certificate on a SilverLight client machine if the certificate is from a CA

If a certificate is from a CA (e.g. GoDaddy, Verisign), does the certificate need to be installed on a client machine?
I have a SilverLight application that needs elevated privileges and will be installed on numerous client sites. I'm also trying to minimize the installation at each of the sites (100s of deployments per site with the application hosted locally at each site).
I believe the registry changes can be deployed via a group policy update.
If the certificate still needs to be deployed, is there a value of having a certificate from a CA over a self-signed application when the primary goal is minimizing local site administration?
Yes, if a certificate is from a CA, the certificate does need to be installed on the client machine. That said however, Microsoft does already install many root certificates as well as keeps this list up to date with Root Certificate updates. See the Root Certificate Membership List
GoDaddy and Verisign are currently apart of this list, so doing an extra step should be unnecessary on a computer which is up-to-date. This is not always the case, so it still might be required on some machines.
All that said, to run Silverlight in elevated privilege mode, the user must simply click that they 'trust' the application at install time. See MSDN Trusted Applications
Taking the time of getting a signature from a CA only buys your user's a bit of extra peace of mind when the click the button as
They will see this:
Instead of:
If the goal is minimizing local site administration, then I don't see that going through the trouble of getting a certificate to sign your application would meet that goal, its only there to help provide some security for your users, which doesn't sound like it would be an issue.

Can I use the "Test certificate" to deploy Elevated trust apps?

sorry for my bad english (and for the newbie question) - I have a silverlight 4 OOB application that requires Elevated Trust to run. The CheckAndDownloadUpdateAsync only works in this case if my xap is signed. There is a problem if I deploy my app using the "test certificate" that I can create on VisualStudio? The CheckAndDownloadUpdateAsync works fine and I prefer not do buy a certificate only for this... also, what will happen when the certificate expires? Would the user have to go to my page and explicitly update the app since it would be a new (renewed) certificate?
Also, what kind of certificate I would need to buy for this and what advantages do I have doing so?
You can deploy without any issues using the test certificate as you have done. The drawback of using a test certificate over one you purchase really is just what appears in the UAC dialog when the user installs the OOB application. With a test certificate, it tell the user that "unknown publisher" is trying to install software, whereas with a purchased certificate, your company name will show up. Depending on your user base this may or may not be important.
As for what happens when the certificate expires, you can renew the certificate and re-deploy your XAP. These renewal instructions should work (even though they are talking about ClickOnce and not silverlight, the same principles apply).

Looking to build a WPF XBap with full trust, can a purchased certificate get past some of the security issues?

We are developing an application that needs to talk to some hardware (serial port) on the machine, and most of what we do is WPF and .net, so an xbap seems logical.
My concern is with the certifcates. I have seen a bunch of people showing how to create and self sign applications, but then the user is required to install that to their machine manual to trust the root. I am curious if we purchase an cert from say Verisign if that requirement will then go away?
I have no problem if there is a prompt requesting full trust, but I do not want my remote users dealing with installing certificates.
Thanks
If you purchase a code signing certificate from a trusted authority then the users will not need to do anything with certificates.
If your certificate comes from a trusted authority, the users won't generally need to worry about it (where it becomes an issue is if you let your certificate lapse). If you're a member of Code Project, you can get a "cheap" certificate from one of their partners. More information here.
there is a solution here =D
XBAP full trust deployment
create your own certificate and deploy full trust. 0 cost. if you're looking something like secure layer cert, you may head on http://www.comodo.com/business-security/digital-certificates/ssl-certificates.php?entryURL= for free SSL

Resources