I am trying to sign the clickonce application using Sectigo Sha384 EV Certificate using SafeNet client.
Below is a snapshot from SafeNet
Steps I am following
PLEASE NOTE CSP in SignTool is CSP in SafeNet client while CSP in Mage is KSP in SafeNet client. Mage was not signing otherwise.
I am using VS 2022, but not using its UI to sign anything during publish. I am signing the clickonce artifacts afterward
SignTool version 10.0.22621.2428 Mage version 4.8.9032.0 used from location C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools
//STEP 1: Signing exe file
signtool.exe sign /v /fd "SHA256" /as /f $certPath /csp "eToken Base Cryptographic Provider" /kc "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" /td "SHA256" /tr "http://timestamp.sectigo.com" "c:\publish\1.0.0.0\App.exe"
//STE2: Updating the file hashes in the application manifest file
mage.exe -Update "c:\\publish\\1.0.0.0\\App.exe.manifest" -FromDirectory "c:/publish/1.0.0.0" -Algorithm "sha256RSA"
//signining application manifest
mage.exe -sign "c:\publish\1.0.0.0\App.exe.manifest" -CertFile $certPath -CryptoProvider "SafeNet Smart Card Key Storage Provider" -KeyContainer "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" -TimestampUri "http://timestamp.sectigo.com" -Algorithm "sha256RSA"
//Verify signing application manifest
mage.exe -Verify "c:\publish\1.0.0.0\App.exe.manifest"
//Updating the deployment manifest with the location and hash of the application manifest
mage.exe -Update "c:\publish\App.application" -AppManifest "c:\publish\1.0.0.0\App.exe.manifest" -Publisher "Test Publisher"
//Signing the deployment
mage.exe -Sign "c:\publish\App.application" -CertFile $certPath -CryptoProvider "SafeNet Smart Card Key Storage Provider" -KeyContainer "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" -TimestampUri "http://timestamp.sectigo.com" -Algorithm "sha256RSA"
//Verify signing deployment manifest
mage.exe -Verify "c:\publish\App.application"
// Copy the deployment manifest to the versioned path
Copy-Item "c:\publish\App.application" "c:\publish\1.0.0.0\App.application"
//sign the bootstrap file
signtool.exe sign /v /fd "SHA256" /as /f $certPath /csp "eToken Base Cryptographic Provider" /kc "[{{tokenpass}}]=Sectigo_xxxxxxxxxxx" /td "SHA256" /tr "http://timestamp.sectigo.com" "c:\publish\setup.exe"
I have also checked that publisher name is visual studio in description is "Test Publisher" which matches with whom certificate is issued.
I am getting a unknown publisher pop up
I am also getting smartscreen blocker while installing clickonce application.
I was hoping a clean install with known publisher and without any smart screen. That is why I choosed EV certificate
I have also checked the certificate, it is valid and have proper chain
It was something with sectigo timestamp url, digicert timestaping url has fixed the "unknown publisher" problem. It is perfectly okay to use timestamp url across signing authorities
I misunderstood it when I said I had an EV certificate. It was actually an OV certificate and smart screen pop is well anticipated there until it start gaining on trust slowly.