Symptom
When trying to code sign a ClickOnce application in Visual Studio you are unable to see the certificate stored on your Yubikey.
Cause
The code signing utility used by Visual Studio for ClickOnce applications does not recognize the newly required ECDSA keys. As of the February 2024 version of Visual Studio 2022 it is not supported.
Possible Solutions
In order to sign code, you must first install the following pre-requisites:
- Windows 10 SDK
- NOTE: When installing, you only need to select the Code Signing component
- YubiKey Smart Card Minidriver
- NOTE: It is possible that this not required
When building your software, you will then do the following:
- Publish your ClickOnce application WITHOUT signing the manifest. Once you have edited your build settings and unselected signing in there you will not have to go back and unselect it in the future.
- Located the Windows 10 SDK version of signtool.exe. You will find it in: C:\Program Files (x86)\Windows Kits\10\bin\{KIT VERSION}\{ARCHITECTURE}\signtool.exe
- For example, kit version 10.0.22621.0 running on 64 bit windows will be located here: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
- NOTE: The signtool version that comes with the Visual Studio ClickOnce kit does not support ECDSA keys
- Open a command prompt and sign your setup.exe file:
- 'C:\Program Files (x86)\Windows Kits\10\bin\{KIT VERSION}\{ARCHITECTURE}\signtool.exe' sign /tr {TIMESTAMP SERVER URL} /td sha256 /fd sha256 /a /{PATH TO CLICKONCE APPLICATION}\setup.exe
Applies To
Visual Studio 2022
