clickonce - "Manifest XML signature is not valid" on client machine but works fine on developer computer

Question

At work we had a ClickOnce application that, when the client would try to install, was throwing the exception:

• Exception reading manifest from file:/FILEPATH: the manifest may not be valid or the file could not be opened.

  Manifest XML signature is not valid.

  SignatureDescription could not be created for the signature algorithm supplied.

To solve this, we ended up using another certificate file, and it worked fine (resigned the manifest).

But we can not understand why it would work to install the application in the developers machines (even developers that were not working with the application), but it would not work for the clients' machines?

We don't have much information on how the certificates were created or the ClickOnce package, because the person that did it is gone and didn't leave documentation about it.

The certificate that was being used didn't have a password and normal users do not have administrator rights.

From Stack Overflow question Manifest XML signature is not valid, I could guess that the problem maybe was that they created the project and certificate with .NET Framework 4.5 and then when they set the application to run with .NET Framework 4.0, they didn't change the signature algorithm. But then I would asume it shouldn't work for the developers either.

Any insight you could give me would be greatly appreciated.

Answer 1

Update: This is fixed as of Visual Studio 2013 Update 3. Try publishing your app from that version of VS or later.

Previous answer:

It's because your developer machine had .NET 4.5 installed, while your client machines only had .NET 4.0 installed. The .NET 4.0 client machines can't read the manifest, as they expect SHA-1, while the .NET 4.5 developer machines can.

See this blog post for some additional context.

This change is due to the fact that we stopped using legacy certificates as default (SHA-1) in NetFX4.5 to sign manifest and instead, use newer version (SHA-256), which is not recognized by NetFx4.0 runtime. Therefore, while parsing the manifest, 4.0 runtime complains of an invalid manifest. For legacy frameworks, when we try to run a ClickOnce app on a box that does not have targeted runtime, ClickOnce pops up a message to user saying “you need xxxx.xx runtime to run this app”. But starting .NET 4.5, if a 4.5 ClickOnce app is run on the box with only .NET 4.0 installed, the message complains about an invalid manifest. In order to resolve the issue, you must install .Net Framework 4.5 on the target system.

Try signing your manifest with a SHA-1 certificate instead of a SHA-2 certificate.