ClickOnce and VSTO Verification

Signotaur can be used to verify the signatures of ClickOnce deployments and VSTO (Visual Studio Tools for Office) add-ins by checking the deployment manifest (.application or .vsto), application manifest (.manifest), and all dependency files.

What Gets Verified

When you verify a .application or .vsto file, Signotaur automatically checks:

  1. Deployment manifest signature - Verifies the main manifest is properly signed.
  2. Application manifest signature - Verifies the referenced application manifest.
  3. Hash chain integrity - Ensures hash values in manifests match actual file contents.
  4. Dependency signatures - Verifies all assemblies and resources in the application folder.
  5. For VSTO only: Verifies both the nested and root .vsto file signatures (see VSTO structure explanation).
  6. Certificate validity - Checks certificate trust chain and revocation status.

Any mismatch in the hash chain or invalid signature will cause verification to fail.

Note: When the --strict-lifetime option is enabled, verification uses the embedded timestamp to validate the signing certificate at the time of signing, allowing the signature to remain valid even if the certificate has since expired. Without this option, certificate validity is evaluated against the current time.

Filtering Dependencies with Content Patterns

By default, all dependencies are verified. You can use content patterns to selectively verify only specific files or exclude certain files. Content patterns are specified as part of the Files parameter or in lines of file specified using the --file-list command option. Use a colon (:) to separate the deployment manifest file pattern from the content patterns:

Syntax: FilePattern:ContentPattern1:ContentPattern2:...

Pattern Rules:

  • Include patterns: Specify file types to verify (e.g., :*.dll:*.exe).
  • Exclude patterns: Prefix with ! to exclude files (e.g., :!*.pdb).
  • Multiple patterns: Chain patterns with colons, or specify additional entries as separate parameters or extra lines in the file list.
  • Wildcards (*, ?, **) are supported.
  • Exclusion patterns always override inclusion patterns.
  • Content patterns only apply to dependencies, not the manifest itself.

Common Use Cases:

  • Verify only executable code: MyApp.application:*.dll:*.exe.
  • Exclude debug symbols: MyApp.application:!*.pdb:!*.xml.
  • Exclude Microsoft Office PIAs: MyAddin.vsto:*.dll:!Microsoft.Office.*.dll:!Office.dll.
  • Exclude test assemblies: **/*.application:*.dll:!**/test/**.

For detailed information about ClickOnce/VSTO structure and how signing works, see ClickOnce and VSTO Signing.