5 October 2010

clickonce deployments

by mo

These are a collection of notes from going through creating another click once deployment.

  • sign the manifest files without signing the assemblies.
  • sign manifest with *.pfx files
  • when calling the publish target against msbuild include the cert thumbprint.
<target name="_publish" depends="compile">
  <property name="command.line" value='${base.dir}\src\app\longrangemodel.ui\longrangemodel.ui.csproj /t:publish /p:UpdateEnabled=true /p:UpdateRequired=true /p:PublisherName="${publisher.name}" /p:ProductName="${product.name}" /p:PublishUrl=${publish.url} /p:InstallUrl=${publish.url} /p:UpdateUrl=${publish.url} /p:Install=True /p:ApplicationVersion=${major.version}.${minor.version}.${build.number}.* /p:ApplicationRevision=${svn.revision} /p:UpdateInterval=1 /p:UpdateIntervalUnits=Minutes /p:UpdateUrlEnabled=True /p:IsWebBootstrapper=True /p:InstallFrom=Unc /p:PublishDir=${publish.dir} /p:ManifestKeyFile="${key.file}" /p:ManifestCertificateThumbprint="${key.file.thumbprint}"' />
  <exec program="${msbuild.exe}" commandline="${command.line}" />


> msbuild.exe project.csproj /t:publish /p:UpdateEnabled=true /p:UpdateRequired=true /p:PublisherName="Mo Khan" /p:ProductName="Mo's Product" /p:PublishUrl=http://mokhan.ca/publish /p:InstallUrl=http://mokhan.ca/publish /p:UpdateUrl=http://mokhan.ca/publish /p:Install=True /p:ApplicationVersion=1.0.0.* /p:ApplicationRevision=1235 /p:UpdateInterval=1 /p:UpdateIntervalUnits=Minutes /p:UpdateUrlEnabled=True /p:IsWebBootstrapper=True /p:InstallFrom=Unc /p:PublishDir=${publish.dir} /p:ManifestKeyFile="mykey.pfx" /p:ManifestCertificateThumbprint="9DAAADE32307C99743FC74A475D6008370C65642"
  • I’ve been using the visual studio project properties panel to dig out the thumbprint from the pfx file.
    • Open project properties, click on the signing tab, check the sign manifests check box, choose the file, then click on more details..
  • You can also specify a /p:SupportUrl=http://mokhan.ca and a shortcut will appear in the start menu to that site.

When you create a clickonce one deployment there are three main files that are created.

  • setup.exe - this is the bootstrapper that users should run to install the application. It will check to see if you have the required pre-requisites in order to run the application. If you do not you can have it automatically download it and install it for you.
  • .application - this file keeps track of the current version of the application. I believe each time the application is started it checks this file to see if there is a newer version of the application. This file has to be hosted somewhere that each user will have access to like on the web (http) or over a local Intranet (UNC).
  • .manifest - this file keeps track of each of the files that need to be deployed with a specific version of the application.

clickonce deployment folder structure (server)

### /public
	- /Application Files
		- {PROGRAM}_1.0.0.1000
			- {PROGRAM}.exe.manifest
			- ... rest of the files to deploy with this version
		- {PROGRAM}_1.0.0.2000
			- {PROGRAM}.exe.manifest
			- ... rest of the files to deploy with this version
	- {PROGRAM}.application
	- setup.exe

Deployment on the client

  • I used procmon.exe to trace down where the application is installed on the client machine.
  • On my machine the app was installed to: C:\Users\mkhan\AppData\Local\Apps\2.0\XXLBODCL.D2T\W0JYK67Z.2QC\long..


“Publisher certificates come in two flavors—self-generated or third-party–verified (by Verisign, for example). A certificate is issued by a certificate authority, which itself has a certificate that identifies it as a certificate issuing authority. A self-generated certificate is one that you create for development purposes, and you basically become both the certificate authority and the publisher that the certificate represents. To be used for production purposes, you should be using a certificate generated by a third party, either an external company like Verisign or an internal authority such as your domain administrator in an enterprise environment. “ - msdn We should use a certificate that was generated by a domain administrator for production deployment. You can use ‘certmgr.exe’ to manage certificates in the store on your machine.


Deploying to production

When signing a clickonce install with a cert issued by a cert server, you must have the pfx file installed on your local machine in the Current User Certificates store.

  • mmc.exe
  • File -> Add/Remove Snap In…
  • Certificates
  • Add
  • Current User

Then deploy from your machine using msbuild.

To bypass the pesky security warning dialog you need to ensure the following:

To be considered a trusted publisher, the publisher certificate must be installed in the Trusted Publishers certificate store on the user’s machine, and the issuing authority of the publisher certificate must have their own certificate installed in the Trusted Root Certification Authority certificate store. - MSDN

  1. Make sure the cert (pfx) is installed into your “Personal/Certificates”
  2. Make sure that the cert was issued by the Root Certification Authority
  3. Make sure that the cert is installed in to the “Trusted Publishers/Certificates” in the (Local Computer)

If you don’t get the cert installed in to the Trusted Publishers store then the Security Dialog will pop up and tell you the Publishers name is the same name as the “Issued To” value in the cert. All of this can be viewed in mmc.exe by adding the “Certificates” snap-in.


  • when installing the app using an low privileged account I got the following error.

    Unable to install or run the application. The application requires that assembly Microsoft.Windows.Design.Extensibility Version 3.5.00 be installed in the Global Assembly Cache (GAC) first.

I found the following solution on stackoverflow. ClickOnce is a great technology for releasing updates in to the wild quickly and easily, but it sure sucks to set up.

I got the error a few times for different assemblies. By updating it’s status from prerequisite to include seems to have fixed the problem.

  • I had an issue where I was getting an error when installing the clickonce app with limited privileges, and a win xp box where it was saying an app with the same identity has already been installed. I checked add/remove programs and our app wasn’t there, then I checked where the clickonce apps are installed and it was there. So I cleared out the folder, re-ran the setup.exe and it worked.