We have a plug-in that runs on Outlook 2016. Our plug-in is using VSTOInstaller.exe file to install new updates from the installation folder URL. Now, the certificate of our plug-in is about to expire, so we bought a new certificate and deployed a new version with the new certificate.
But during the installion of the new update with the new certificate, the plug-in have encountered a security error that is preventing it from updating to the new version, see error below:
Exception: Customized functionality in this application will not work because it has not been granted trust. The certificate used to sign the deployment manifest is unknown, and the customization itself (Time Tracking System) is not on the inclusion list. Contact your administrator for further assistance.
************** Exception Text **************
System.Security.SecurityException: Customized functionality in this application will not work because it has not been granted trust. The certificate used to sign the deployment manifest is unknown, and the customization itself (Time Tracking System) is not on the inclusion list. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Office.Runtime.OfficeAddInDeploymentManager.VerifyAddInTrust(ClickOnceAddInTrustEvidence evidence)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
After searching for a solution over the internet, I found this article: http://www.aivanoff.net/Blogs/Details/VSTOwithHSA256fail.
For short, changing the RSAKeyValue from the "HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion" in the registry with the RSAKeyValue of the new certificate will fix the problem. I have tried this solution and it worked but this is not the kind of solution that we want to give to our users.
I have also tried solution from the URL below, but it did not work:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/b1289353-91ab-4f3f-be20-6d65615441bd/security-trust-issue-only-on-some-client-machines-outlook-addin?forum=vsto
Could someone please let me know an explanation about why this error occur? And is there any other way to fix it?
Thanks,
Ben
Related
We recently purchased an EV Code Signing Certificate.
I followed instructions and I can successfully sign our built applications (exe files), our libraries (dll).
However, I can't sign our setup packages (MSI files), I always get this error:
SignTool Error: An unexpected internal error has occurred. Error
information: "Error: SignerSign() failed." (-2147024885/0x8007000b)
I don't see anything in Event Viewer.
I am really stuck here, I don't not understand how same command could work for certain file types and not for msi files.
Thanks in advance for your help!
Check the log for more info:
Run Event Viewer app.
Open the event log: Event Viewer (Local) > Applications and Services
Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational
Look for the most recent error event
In my case I had a mismatch in publisher string in Certificate and Manifest.
The following cause was reported on a forum post:
Have just found the cause: my antivirus Trend Micro Worry Free
Advanced is the problem.
When I deactivate it, I can sign without any problem and it is much
faster to sign.
Now I have to find to which part I have to set an exception in the
antivirus.
The strange thing is that I never had any problem to sign with my
Authenticode certifcate,
but here with an EV Code Signing certificate my antivirus blocks
something...
Posted by david[SDT] Monday, April 9, 2018 12:47 PM
I have an Outlook Add-In that's installed from a web server. This add-in works the same way as all other add-ins I've worked on in Office.
setup.exe is downloaded and executed
all prerequisites (.Net framework and such) are verified
vsto file is downloaded
So far, everybody installing this add-in has had no problems (this add-in has been in use for about a year). We have a new customer installing it on Windows 7 and we're seeing our first issue. Here's the error:
There was an error during installation:
Downloading http://<path and filename>.vsto did not succeed
***************** Exception Text******************
System.Deployment.Application.DeploymentDownloadException: Downloading http://<path and filename>.vsto did not succeed
System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required. ---> System.ComponentModel.Win32Exception: The token supplied to the function is invalid
at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.NtlmClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
at System.Net.NtlmClient.Authenticate(String challenge, WebRequest webrequest, ICredentials credentials)
at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckSubmit(Exception& e)
--- End of inner exception stack trace ---
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
Obviously, I cannot duplicate from my location. My gut is telling me this customer's network security is causing an issue (my understanding is that they have a series of firewalls and such), but their Windows XP machines are having no problem installing.
Anybody see anything I'm missing?
In the end, the answer wasn't too difficult. What was happening is that, obviously, the user is behind a Proxy Server that's blocking the download of the VSTO file, as it didn't have the Proxy Credentials.
So, I've had to make an exception for these users, sending them all the files in a zip that they can install from.
Note that users that run into this MUST run a command to clear the ClickOnce app cache before proceeding; it looks like the mere attempt to install this was leaving some residuals behind that was causing a problem. If you don't already know, you can clear the app cache by running this command from the command prompt (or creating a .bat file containing):
rundll32 dfshim CleanOnlineAppCache
There is a MS KB (KB917952) that corrects ClickOnce deployment issues when using Proxy Authentication.
End users or IT can modify the machine.config to enable proxy authentication with their NTLM login. This will allow them to install ClickOnce or VSTO applications behind proxies that require authentication.
How To: Change your Default Proxy to always use your default credential (NTLM login).
Edit %windir%\Microsoft.NET\Framework\v4.0.30319\config\machine.config
Add the defaultProxy element shown below. Remember to add to an existing system.net section when one exists already.
<configuration>
..
<system.net>
<defaultProxy enabled="true" useDefaultCredentials="true"/>
</system.net>
...
</configuration>
Element (Network Settings)
useDefaultCredentials
Specifies whether the default credentials for this host are used to access the web proxy. The default value is false.
I am new to Adobe AIR and I was following the steps given in the site :
"http://net.tutsplus.com/tutorials/tools-and-tips/introduction-to-adobe-air/", to create my first AIR application.
I was almost successful in creating my first AIR application but at the last step of Deploying AIR Application, after the successful creation of certificate when I am trying to create the.air file. I am getting the error :
"Could not generate timestamp: Connection refused: connect".
Can you please help me in resolving the issue as soon as possible.
As a short-term workaround, you can specify "-tsa none" on the ADT command line. (If you are using Flash Pro or Builder, there should be an option in the UI). -tsa none disables timestamps.
A timestamp requires an internet connection in order to get a signed timestamp token from a server. This is used to verify that your certificate was valid when the app was signed. Without a timestamp, your app won't be installable after your code signing certificate expires. With a timestamp, your app installer will not expire.
Proxy connections are sometimes the issue. Since ADT is a Java program, you have to configure the Java proxy settings if this is the source of the trouble.
Our code-signing certificate recently expired. It's been renewed, but now whenever I try to package the app with the renewed cert (whether I attempt a migration of the expired cert or not), after installation, I get the following message any time I try to run the app:
"This installation of this application is damaged. Try re-installing or contacting the publisher for assistance."
Opening up the package contents, the publisherid file inside Resources/META-INF/AIR is blank. This is apparently the problem, because if I manually edit it to contain our previous publisherID, the app will run.
But of course, it's not like we can tell all our users "oh install it then manually edit this file inside the package."
Has anyone encountered this or know how to fix it?
Ah, after a bit more banging my head against my desk I got it.
For anyone who comes after me:
I had to change a couple things in my app descriptor file.
First I had to change the namespace to point at AIR 1.5.3 instead of 1.5
<application xmlns="http://ns.adobe.com/air/application/1.5.3">
And then I had to manually specify our old publisherID in the descriptor as well
<id>OurAppID</id>
<publisherID>OurOldPublisherID</publisherID>
Now it works just as it's supposed to, installs as an update to our old version instead of a new app, and actually runs instead of just throwing that error.
i guess my .NET application needs to be signed or something. how do i get rid of that prompt unknown publisher when someone tries to install my app?
If it's the prompt I'm thinking of, you'd start by getting a certificate from someone like Verisign and use their certificate to sign your assembly.
You may be able to do a self-signed assembly using the information from these pages:
http://weblogs.asp.net/fbouma/archive/2003/12/23/45396.aspx
http://msdn.microsoft.com/en-us/library/ms247123(VS.80).aspx
http://blogs.msdn.com/junfeng/archive/2006/03/11/549355.aspx
I'd recommnd reading up and going from there.