I’m trying to understand the signing process of .NET applications. I’m working with Visual Studio 2008 & 2010 and on the property page of the projet we have a tab page named Signing. I believe this page allows me to sign my ClickOnce manifest and/or my assembly. After installing my applications on client computers I was hoping the exe files was signed but it does not seems to be the case (right click on installed .exe file on client computer and choose properties, we don’t have any Digital Signatures tab).
After some search I read this: The Signing tab under a Visual Studio project’s Properties page allows you to sign ClickOnce manifests, as well as to perform strong-name signing on assemblies. However, it has nothing to do with signing the executables of an application.
Does someone can explain me why signing through Visual Studio did not give a digital signature on my .exe files?
Thank you in advance.
An Authenticode signature for a ClickOnce application’s manifests is used to verify the authenticity of the application’s publisher, and also to provide assurance that the ClickOnce application hasn’t been tampered with since it was signed.
In ClickOnce, it’s the application and deployment manifests that are signed rather than the executables. This is because these components are what will be used to install and launch the application. The executables are only run once the application has been installed and launched. If any of the executables (or manifests) are changed after signing, the application will not run.
You can if you wish use a post-build step to sign the application’s executables as well, but this isn’t necessary to provide the Authenticode integrity checks used by ClickOnce.
EDIT: To answer your comment, I would use an assembly strong name to provide the evidence your administrator needs to enforce his policy. It’s simple and effective.