ClickOnce and VSTO Signing

Signotaur can be used to sign ClickOnce deployments and VSTO (Visual Studio Tools for Office) add-ins. These applications consist of a deployment manifest (.application or .vsto), an application manifest (.manifest) and a set of dependency or content files.

How ClickOnce/VSTO Signing Works

When you specify a .application or .vsto file, Signotaur automatically:

  1. Parses the deployment manifest to identify all referenced files.
  2. Signs dependency files (assemblies, resources) in the application folder.
  3. Updates the application manifest with new hash values of signed dependencies.
  4. Signs the application manifest itself.
  5. Updates the deployment manifest with the hash of the signed application manifest.
  6. Signs the deployment manifest.
  7. For VSTO only: Signs both the nested and root .vsto files.

This cascading process ensures that every hash value in the manifest chain reflects the actual signed content.

VSTO-Specific Considerations

VSTO applications differ from ClickOnce in that they have a nested deployment manifest structure.

When you publish a VSTO add-in, Visual Studio creates:

  • A root .vsto file in the publish folder (version pointer).
  • A versioned folder under Application Files (e.g., MyAddin_1_0_0_7).
  • A nested .vsto file inside that versioned folder (actual deployment manifest for that version).

Signotaur automatically detects and signs both .vsto files in the correct order.

Filtering Dependencies with Content Patterns

By default, all dependencies are signed. You can use content patterns to selectively sign only specific files or exclude certain files. Contents pattern are specified as part of the Files parameter or in the file specified using the --file-list command option. Use a colon (:) to separate the deployment manifest file pattern from the content patterns:

Syntax: FilePattern:ContentPattern1:ContentPattern2:...

Pattern Rules:

  • Include patterns: Specify file types to sign (e.g., :*.dll:*.exe).
  • Exclude patterns: Prefix with ! to exclude files (e.g., :!*.pdb).
  • Multiple patterns: Chain patterns with colons, specify as additional parameter or extra lines in the file list.
  • Wildcards (*, ?, **) are supported.
  • Exclusion patterns always override inclusion patterns.
  • Content patterns only apply to dependencies, not the manifest itself.

Common Use Cases:

  • Sign only executable code: MyApp.application:*.dll:*.exe.
  • Exclude debug symbols: MyApp.application:!*.pdb:!*.xml.
  • Exclude Microsoft Office PIAs: MyAddin.vsto:*.dll:!Microsoft.Office.*.dll:!Office.dll.
  • Exclude test assemblies: **/*.application:*.dll:!**/test/**.
  • Sign everything except specific patterns: MyApp.application:!*.pdb:!*.config.

This recursive iteration with selective filtering allows you to maintain complete control over the signing of your ClickOnce/VSTO deployments without the need to manually list each file.

Application Details

When signing ClickOnce or VSTO applications, you can specify publisher company name and support URL using the --description and --description-url command options. There is also an --app-name option which identifies the product name. These parameters update attributes in the manifest file which are used when the application or add-in is installed.

  • -d, --description <Description>
    Specifies the company name used for icon placement in the Windows Start menu and the Add or Remove Programs item in Control Panel, when the deployment is configured for install.

  • --du, --description-url <URL>
    Specifies a support URL that is shown in the Add or Remove Programs item in Control Panel. A shortcut to this URL is also created for application support in the Windows Start menu, when the deployment is configured for installation.

  • --an, --app-name <Name>
    Specifies the full product name. This is used as the title for the icon installed in the Windows Start menu.

File List

These parameters can also be specified each line of the file list allowing different information for each of a set of applications signed in one command. Each line has the format:

FilePath|Description|URL|ApplicationName

Note that Description corresponds to the --description option, URL corresponds to --description-url and ApplicationName corresponds to --app-name. FilePath can be broken down to FilePattern:ContentPattern1:ContentPattern2:... as described above.