VSoft Technologies Blogs

ClickOnce and VSTO Application Signing with Signotaur

Tue, 14 Oct 2025 00:23:40 GMT

If you've been working with ClickOnce or VSTO applications, you know that signing them isn't quite like signing a regular executable. We're pleased to announce that Signotaur now handles ClickOnce and VSTO application signing, taking care of the manifest orchestration so you don't have to.

What Makes ClickOnce and VSTO Different?

When you sign a standard executable or DLL, you're dealing with a single file. The process is straightforward: calculate a hash, sign it, embed the signature. One file, one operation.

ClickOnce and VSTO applications are a different beast entirely. These deployment packages consist of multiple files tied together by manifest files that describe the application structure, dependencies, and deployment configuration. The challenge? Everything needs to be signed in a specific order, and those manifests need to be updated with new hash values after each signing operation.

Here's what's happening under the hood:

Application files get signed first (your assemblies, dependencies, etc.)
The application manifest (.manifest) needs to be updated with the new hash values of those signed files
Then the application manifest itself gets signed
The deployment manifest (.application) needs to be updated with the hash of the signed application manifest
Finally, the deployment manifest gets signed

Miss a step or do things out of order, and Windows will reject your deployment package. It's tedious and error prone to manage manually, which is exactly why we've automated it.

Certificate Requirements

ClickOnce and VSTO signing requires an RSA certificate with specific characteristics:

Algorithm: RSA only (ECC/ECDSA certificates are not supported by the ClickOnce/VSTO signing infrastructure)
Key size: Minimum 2048 bits, though 3072 bits is recommended for better security
Certificate type: Must be a code signing certificate (Authenticode) from a trusted Certificate Authority
Key storage: Since June 2023, CA/B Forum requirements mandate that private keys be stored on secure hardware (USB tokens or HSMs)

Signotaur supports all of these requirements, whether your certificates are stored on YubiKeys, SafeNet tokens, other PKCS#11 HSMs, or in the Windows Certificate Store.

The Publisher Name Challenge

Getting the manifests signed is only half the battle. Making your application display the proper publisher name instead of "Unknown Publisher" during installation is notoriously tricky. Even with a properly signed application, several factors can cause Windows to show "Unknown Publisher":

Certificate chain issues (missing intermediate certificates)
Publisher name in the deployment manifest not matching the certificate's Common Name exactly
Whitespace differences introduced during the signing process
Self-signed or test certificates (which will always show as unknown)
Certificate not from a trusted root CA

When everything is configured correctly, users see a clean installation prompt with your verified publisher information:

When something's wrong — even if the manifests are technically signed — users see the dreaded "Unknown Publisher" warning:

This is why using certificates from trusted CAs and ensuring proper manifest configuration is so important. Signotaur handles all the signing mechanics correctly so all you need to display the verified publisher name is a valid certificate from a publicly trusted Certificate Authority.

Signing Made Simple

To sign a ClickOnce or VSTO application, you only need to point Signotaur at the deployment manifest:

SignotaurTool.exe sign -a  -s  -t  --tr  --td SHA256 path\to\MyApp.application

Signotaur will parse the manifest, identify all the files that are part of the application, sign them in the correct order, and update the hash values throughout the manifest chain. Any files sitting in the deployment folder that aren't referenced in the manifest will be ignored, even if they match your file spec. This keeps things clean and ensures only application files get signed.

Command-Line Parameters

We've added a new --application-name parameter specifically for ClickOnce and VSTO deployments. This value appears in the Windows Start menu when users install your application, giving it a proper identity in the system.

The existing --description and --description-url parameters are used to populate the publisher name and support URL in the deployment manifest. This means if you're already using these parameters for other signing operations, your scripts should work with minimal changes.

What This Means for Your Build Process

If you've been juggling multiple tools or scripts to handle ClickOnce and VSTO signing, you can simplify your build pipeline. Signotaur handles the entire process as a single operation, maintaining the correct signing order and manifest updates automatically. This is particularly useful in CI/CD environments where you need reliable, repeatable signing without manual intervention.

The usual benefits of Signotaur apply here: your certificates stay securely on the server, private keys never travel over the network, and the command-line interface integrates cleanly with your existing build scripts.

For detailed command-line syntax and examples, check out the Signotaur documentation. If you run into any issues or have questions about signing ClickOnce or VSTO applications, our support team is here to help.

Daily Builds with Continua CI

Sun, 24 May 2020 09:22:55 GMT

Generally, at VSoft, we like to build. So we build every commit and this allows us to look back at our build history and see which changes caused the build to fail. We use manual stage promotion to prevent every build being released until we decide that it is ready to go.

Many teams like to trigger a build at the end of each day, or during the night, compiling the work for the day in one single package.

The obvious choice for this scenario is the Daily Trigger. This can be set to run a build at a specific time every day, or just weekdays - even just weekends for those with alternative lifestyles.

But what if the team is just having a design day, is off on a team building excursion or, perish the thought, a day of meetings! No commits are made, but the daily build still runs even though there are no changes. One possible solution is to use a Discard condition.

This will prevent the build running if there are no changes since the last build.

Another option has been added to Continua CI recently. The Quiet Period setting on Repository Triggers now allows you to enter an End Time rather than an Interval.

Any builds triggered from a repository change are then queued right through the day until the specified end time. Any additional changes added to the configuration repositories during the day are added to the queued build, and when the end time comes up, the build executes on the latest changeset.

If you're going home earlier than the end time and want stuff deployed already, you can swiftly end the quiet period at the click of a button. Using a repository trigger in this way means that you can ignore changes to some files, changesets with a specific comment, or commits from certain users.

- like that hands-on manager who thinks of his commit count as a key performance indicator.

Introducing Continua CI Version 1.9.1 Beta

Wed, 01 May 2019 07:00:08 GMT

This new beta release includes substantial improvements to the expressions engine including new several expressions objects and functions. We have also made some updates to the stage editor, implemented automatic report generation for some reporting actions, and added several new deployment actions providing support for Docker, Azure, SQL packages, File Transfer and SSH.

Continue reading for details of all the new features.

Enhanced expressions engine
Stage editor changes
New premium deployment actions
Other new and updated actions
Automatic reporting

Enhanced expressions engine

The expression engine in Continua CI evaluates expression objects and variables denoted with $ and % characters. It also provides auto-completion suggestions when typing such expressions into expression fields. This has now been overhauled to include function return types, chaining of functions, nesting functions as function parameters, selection and filtering of collections and many improvements to expression parsing. We have added several new functions, objects and collections to give access to more values and allow you to manipulate those values.

You can now, for example, use the following expression to get the time that the penultimate build stage finished;

 $Build.Stages.Item($Build.Stages.Count.Decrement()$).Finished.ToLongTimeString()$

combine the result of multiple flags by chaining functions, as in this expression;

$Build.HasErroredStages.Or($Build.HasFailedStages$).Or($Build.HasWarnings$)$

or use the following expression to get the comment of the first build changeset in the build containing the word 'merge' (ignoring case):

$Source.SuperFancyRepo.Changesets.First(Comment, Contains, "merge", true).Comment$

We have also included functions to get the value of a variable as a type, allowing you to use properties or functions on the variable value.

You can, for example, now use the following expression to get the abbreviated day of the week from a variable entered using a DateTime prompt;

$Utils.GetDateTime(%DateTimeTest%).DayOfWeek.Substring(0, 3)$

use expressions to do some more complex maths on a Numeric variable;

  $Utils.GetNumber(%NumberTest%).Floor().Modulus(10).Multiply(100)$

or get the first selected value in a checkbox select variable with this expression:

$Utils.GetString(%CheckboxSelectTest%).SplitWithQuotes(",").First()$

You can see a full list of available expression objects, collection and functions on the Expression Objects page of the documentation.

Auto-completion has also been revamped so show more information in the suggestions list. A list of parameters with types is now shown for each for each function. Descriptions are also displayed on mouse over for each object, collection and function in the suggestions list. We have also removed some annoying quirks with expression auto-completion where the cursor would end up in the wrong place or end characters would be added in the wrong place.

Stage editor changes

As Continua CI matures, the number of actions (and categories) has increased. This can make it more difficult to find the action you need. We have therefore redesigned the action list.

The list of categories has been pulled up into a drop down menu with all actions listed below by default.

The filtering of actions using the search box is now fuzzier, using partial and keyword matches.

Stage buttons now resize (up to a maximum) to fit the stage name. If you stage names are short, this means you can fit more stages into your browser width. If your stage names are long, then the text will no longer escape the stage borders. Really long stage names which do not fit the maximum stage button size will now be truncated.

All actions now include a Validate button to allow you to check that all fields have valid values before saving.

New premium deployment actions

We have added a set of premium actions which can be used for deploying the results of your build. The following actions can only be used if you have purchased one or more concurrent build licenses.

File Transfer action: This allows you to upload files to a remote server via FTP, FTPS and SFTP.

SSH Run Script action: This can be used to run a script or list of commands on an SSH server.

Azure actions: Several new actions are available to allow you to deploy web apps, function apps, files and blobs to Azure.

Create Azure Resource Group
Delete Azure Resource Group

Create Azure App Service Plan
Delete Azure App Service Plan

Create Azure Web App
Deploy Azure Web App
Upload Azure Web App
Control Azure Web App
Delete Azure Web App

Create Azure Function
Deploy Azure Function
Delete Azure Function

Create Azure Storage Account
Get Azure Storage Account Keys
Delete Azure Storage Account

Create Azure Storage Container
Delete Azure Storage Container

Upload Azure Blob
Delete Azure Blob

Create Azure File Share
Delete Azure File Share

Create Azure Directory
Delete Azure Directory

Upload Azure File
Delete Azure File

Docker actions: These new actions are available to allow you to build, deploy and manage Docker containers.

Docker Build
Docker Command
Docker Commit
Docker Inspect
Docker Pull
Docker Push
Docker Run
Docker Stop
Docker Tag

SQL Package actions: These new actions allow you to create, update and export SQL Server database schemas and table data.

SQL Package Export
SQL Package Extract
SQL Package Import
SQL Package Publish
SQL Package Script

Other new and updated actions

Extent Reports: Wrapper for the Extent Reports CLI for reporting on NUnit results.

ReportGenerator: Updated to include all the latest command line options.

Rename Directory: Does what it says on the tin..

Automatic reporting

Currently, there are a few steps to configure when setting up a report. You have to ensure that the report files are included in the Workspace Rules and that the report is defined in the Reports section of the configuration wizard. Furthermore, it's also recommended to include the report files in the artifact rules so that you can control when they are cleaned up.

To simplify this process, we have added a new option to automatically register the report with the server to actions which generate reports (FinalBuilder, ReportGenerator and the new Extent Reports action). Ticking this option shows a new tab where you can enter the name, description and run order of the report. When a stage completes, any report files generated by actions where this option is turned on, will automatically be copied to the server workspace. The main report file will be registered as a report and all report files will be registered as artifacts.

Download the installers for Continua CI v1.9.1 Beta from the Downloads page