Visual Studio will not digitally sign a ClickOnce installer for a vb.net Office add-in with a cryptographic timestamp. I need the cryptographic timestamp so that the installer continues to work, without errors, after the Sectigo code signing certificate expires in August.

When I run the installer now, months before the certificate expires, it works great and shows a known publisher.

When I try to install on a separate laptop with the date set to October (after the cert expires), it says “Publisher cannot be verified” and lists “Unknown Publisher”. “From:” shows the AddIn.vsto file.

Setup.exe properties show both a sha256 signature and a timestamp. That works just fine.

Again, I cannot generate a cryptographically timestamped manifest. I welcome your suggestions.

Environment

Windows 10 Pro, 22H2 on the development and test (October) laptops.

Visual Studio Pro 2022, 64-bit, version 17.9.6 with all the latest updates. Apparently there were Mage problems with signing in 17.3 and earlier, but I’m well beyond that.

The add-in targets .Net Framework 4.8. Apparently VSTO doesn’t support any later .Net versions that might use DotNet-Mage instead of Mage. When I try to run DotNet-Mage on my manifest, outside of VS, it just fails.

Selected References

Signing Page, Project Designer – steps through the signing page – particularly “Application and Deployment Manifest Signing”. It links to the next reference.

Sign application and deployment manifests – This makes signing and timestamping sound easy, including: “Additionally, you can specify the address of a timestamp server in the Timestamp server URL text box. This is a server that provides a timestamp specifying when the manifest was signed. It’s usually provided by the same third party that offers certificates signed by a CA.”

Announcing the .NET Framework 4.7.2 – Announces support for sha256 timestamping, “ClickOnce – Enable SHA256 timestamping of Deployment Manifests”

Observations

The manifest and .vsto files include signatures and a timestamp, but there’s no evidence that it’s a cryptographic timestamp. I found one reference that said I’d see an element in the manifest for a cryptographically timestamped file. It’s never appeared.

Inside Visual Studio, I’ve generally specified the Sectigo timestamp server, http://timestamp.sectigo.com, with and without ?td=sha256.

I’ve tried running Mage separately, with and without the “-a sha256RSA” option.
mage.exe -Sign “AddIn.vsto” -CertHash -TimestampUri http://timestamp.sectigo.com

General Mage request: mage -sign “AddIn.vsto” -CertHash “hash value” -TimestampUri http://timestamp.sectigo.com

I’ve tried specifying the digicert timestamp server just in case that would help. It didn’t.
Just in case VS was picking up an older version of Mage from an earlier framework, I renamed Mage.exe in the NETFX 4.5.1 and 4.0 folders. Still didn’t work.