starred/StrongNameSigner
1
0
Fork 0
mirror of https://github.com/brutaldev/StrongNameSigner.git synced 2026-04-25 11:26:04 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #16] Click once: Strong name validation failed... #13

New issue
Closed
opened 2026-02-25 21:30:28 +03:00 by kerem · 20 comments
kerem commented 2026-02-25 21:30:28 +03:00
Owner
Copy link

Originally created by @tom-englert on GitHub (Jun 27, 2015).
Original GitHub issue: https://github.com/brutaldev/StrongNameSigner/issues/16

Originally assigned to: @brutaldev on GitHub.

The project builds and runs locally, but for published click once applications the strong name validation fails for the post-signed assemblies after download and the app won't install.

Originally created by @tom-englert on GitHub (Jun 27, 2015). Original GitHub issue: https://github.com/brutaldev/StrongNameSigner/issues/16 Originally assigned to: @brutaldev on GitHub. The project builds and runs locally, but for published click once applications the strong name validation fails for the post-signed assemblies after download and the app won't install.
kerem 2026-02-25 21:30:28 +03:00
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jun 27, 2015):

@tom-englert This is not nearly enough information to assist you. It's likely you are not signing the correct assemblies in a batch so references are not being fixed appropriately breaking the referential integrity. You may also be using an older version that does not automatically fix friend assembly references.

Please provide actual error messages, stack traces, a sample project, post-install commands, msbuild config, anything that could help identify if this is a bug or simply a misconfiguration.

<!-- gh-comment-id:116143770 --> @brutaldev commented on GitHub (Jun 27, 2015): @tom-englert This is not nearly enough information to assist you. It's likely you are not signing the correct assemblies in a batch so references are not being fixed appropriately breaking the referential integrity. You may also be using an older version that does not automatically fix friend assembly references. Please provide actual error messages, stack traces, a sample project, post-install commands, msbuild config, anything that could help identify if this is a bug or simply a misconfiguration.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 1, 2015):

After realizing it did not work for ClickOnce Apps I had to quickly rollback. I will try to make a reproducible sample.

<!-- gh-comment-id:117720254 --> @tom-englert commented on GitHub (Jul 1, 2015): After realizing it did not work for ClickOnce Apps I had to quickly rollback. I will try to make a reproducible sample.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 1, 2015):

This has been tested on ClickOnce application without an issue. You need to sign all files before creating the ClickOnce manifest since the manifest is also signed. My suggestion with all setups is to always sign your assemblies BEFORE anything, even compiling.

<!-- gh-comment-id:117721093 --> @brutaldev commented on GitHub (Jul 1, 2015): This has been tested on ClickOnce application without an issue. You need to sign all files before creating the ClickOnce manifest since the manifest is also signed. My suggestion with all setups is to always sign your assemblies BEFORE anything, even compiling.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 1, 2015):

I've uploaded compile output and the detailed error message: http://1drv.ms/1GNr3jW
Do you need anything else?

<!-- gh-comment-id:117734965 --> @tom-englert commented on GitHub (Jul 1, 2015): I've uploaded compile output and the detailed error message: http://1drv.ms/1GNr3jW Do you need anything else?
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 1, 2015):

<!-- gh-comment-id:117739577 --> @tom-englert commented on GitHub (Jul 1, 2015): - The source code is at https://resxresourcemanager.codeplex.com/SourceControl/latest - The version with the signing issue is in the Feature\Test branch. - The click once app is the ResXManager project. - You can ignore the ResXManager.VSIX project (it's not loadable if you don't have the VS SDK installed)
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 1, 2015):

P.S. If you don't have Microsoft Code Contracts installed, you will get lots of Code Analysis warnings - just suppress them.

<!-- gh-comment-id:117745976 --> @tom-englert commented on GitHub (Jul 1, 2015): P.S. If you don't have Microsoft Code Contracts installed, you will get lots of Code Analysis warnings - just suppress them.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 1, 2015):

When it comes to the two assemblies being signed, it doesn't seem to like each assembly having a unique public key. I'll take this as a bug since the strong-name file generated could be used for all assemblies and this problem would be completely avoided quite easily.

To overcome the issue now, simply provide a key file to sign the assemblies with. You already have one in the root (Key.snk) so just use that until this gets corrected in 1.4.9.

Also just sign the two assemblies that actually need to be signed, this makes the build process much faster.

<Target Name="BeforeBuild">
  <Exec ContinueOnError="false" Command="&quot;..\packages\Brutal.Dev.StrongNameSigner.1.4.8\tools\StrongNameSigner.Console.exe&quot; -k &quot;..\Key.snk&quot; -in &quot;..\packages\WindowsAPICodePack-Core.1.1.1|..\packages\WindowsAPICodePack-Shell.1.1.1&quot;" />
</Target>

I think your key is password protected so you will also need to pass in -p and your key password for the signer, this is not ideal since it will end up in source control. You can do this manually for now, I'll get the multi-key signing issue fixed up and release 1.4.9. now.

<!-- gh-comment-id:117777583 --> @brutaldev commented on GitHub (Jul 1, 2015): When it comes to the two assemblies being signed, it doesn't seem to like each assembly having a unique public key. I'll take this as a bug since the strong-name file generated could be used for all assemblies and this problem would be completely avoided quite easily. To overcome the issue now, simply provide a key file to sign the assemblies with. You already have one in the root (Key.snk) so just use that until this gets corrected in 1.4.9. Also just sign the two assemblies that actually need to be signed, this makes the build process much faster. ``` xml <Target Name="BeforeBuild"> <Exec ContinueOnError="false" Command="&quot;..\packages\Brutal.Dev.StrongNameSigner.1.4.8\tools\StrongNameSigner.Console.exe&quot; -k &quot;..\Key.snk&quot; -in &quot;..\packages\WindowsAPICodePack-Core.1.1.1|..\packages\WindowsAPICodePack-Shell.1.1.1&quot;" /> </Target> ``` I think your key is password protected so you will also need to pass in `-p` and your key password for the signer, this is not ideal since it will end up in source control. You can do this manually for now, I'll get the multi-key signing issue fixed up and release 1.4.9. now.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 1, 2015):

You'll need to delete the WindowsAPICodePack directories or restore their .unsigned copies. The tool will not sign already signed assemblies.

<!-- gh-comment-id:117781020 --> @brutaldev commented on GitHub (Jul 1, 2015): You'll need to delete the WindowsAPICodePack directories or restore their `.unsigned` copies. The tool will not sign already signed assemblies.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 1, 2015):

Fixed in 1.4.9. All assemblies will use the same generated key and not be invalidated.

Make sure you delete any packages that were previously signed and invalidated and let them be restored by NuGet. Alternatively restore the from the .unsigned backup file that is created before the assembly is signed.

Get the latest NuGet package here https://www.nuget.org/packages/Brutal.Dev.StrongNameSigner/1.4.9

<!-- gh-comment-id:117792822 --> @brutaldev commented on GitHub (Jul 1, 2015): Fixed in [1.4.9](https://github.com/brutaldev/StrongNameSigner/releases/tag/v1.4.9). All assemblies will use the same generated key and not be invalidated. Make sure you delete any packages that were previously signed and invalidated and let them be restored by NuGet. Alternatively restore the from the `.unsigned` backup file that is created before the assembly is signed. Get the latest NuGet package here https://www.nuget.org/packages/Brutal.Dev.StrongNameSigner/1.4.9
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 2, 2015):

I could find no difference with 1.4.9, but specifying an own key fixed the problem. Thanx for the support.

<!-- gh-comment-id:118054854 --> @tom-englert commented on GitHub (Jul 2, 2015): I could find no difference with 1.4.9, but specifying an own key fixed the problem. Thanx for the support.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 2, 2015):

Prior to deploying, I dropped 1.4.9 into the packages folder in your project (into the 1.4.8 folder so I didn't even change the .csproj), deleted the previously incorrectly signed assemblies and published it, worked perfectly first time. 😕

The fix is pretty important anyway since delayed friend reference fixing could break normal references if a new key is generated. If you are using a password for your SNK file, then you don't want that password in your .csproj to run the tool with, 1.4.9 takes care of that as well.

<!-- gh-comment-id:118067645 --> @brutaldev commented on GitHub (Jul 2, 2015): Prior to deploying, I dropped 1.4.9 into the packages folder in your project (into the 1.4.8 folder so I didn't even change the `.csproj`), deleted the previously incorrectly signed assemblies and published it, worked perfectly first time. :confused: The fix is pretty important anyway since delayed friend reference fixing could break normal references if a new key is generated. If you are using a password for your SNK file, then you don't want that password in your `.csproj` to run the tool with, 1.4.9 takes care of that as well.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 3, 2015):

I did merely the same, I always completely deleted the affected packages before building.
The final working version is now in the Main branch, it uses 1.4.9 with -k.
If I remove the -k, the click-once does not work. With -k it runs fine. I just double-click the "ResXManager.application" to test it.
I'm using Win 8.1, maybe that's important to reproduce?

<!-- gh-comment-id:118319764 --> @tom-englert commented on GitHub (Jul 3, 2015): I did merely the same, I always completely deleted the affected packages before building. The final working version is now in the Main branch, it uses 1.4.9 with -k. If I remove the -k, the click-once does not work. With -k it runs fine. I just double-click the "ResXManager.application" to test it. I'm using Win 8.1, maybe that's important to reproduce?
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 3, 2015):

Just to verify, I downloaded your project again and got it building perfectly with the new version.

The first thing I did was opened up ResXManager.csproj to remove the -k argument and noticed the path is still using 1.4.8.

When you upgraded the package, the new path created would be packages\Brutal.Dev.StrongNameSigner.1.4.9, but the old one does not get removed so you will still have packages\Brutal.Dev.StrongNameSigner.1.4.8 available locally.

Without changing the 1.4.8 in the path, I restored packages and tried to build and of course it doesn't find the 1.4.8 package folder and the build fails, this is why I suspect you still have that folder locally if things are still working for you.

Editing the ResXManager.csproj again and changing the path to 1.4.9, rebuilt (keep in mind this would be the first time anything is signed and without the -k option) and everything went smoothly. Verified that the two signed assemblies contained the same public key which means the fix worked, they did. Also ran the ClickOnce app and it also installed correctly with no error.

It appears that nothing changed because you must have still been using 1.4.8 without realizing it. If you perform a fresh build with no packages, only 1.4.9 is pulled down and the build actually fails because the path to the signer is incorrect. Change it to actually point to the 1.4.9 package and you should be good to go.

<!-- gh-comment-id:118377925 --> @brutaldev commented on GitHub (Jul 3, 2015): Just to verify, I downloaded your project again and got it building perfectly with the new version. The first thing I did was opened up `ResXManager.csproj` to remove the `-k` argument and noticed the path is still using 1.4.8. When you upgraded the package, the new path created would be `packages\Brutal.Dev.StrongNameSigner.1.4.9`, but the old one does not get removed so you will still have `packages\Brutal.Dev.StrongNameSigner.1.4.8` available locally. Without changing the 1.4.8 in the path, I restored packages and tried to build and of course it doesn't find the 1.4.8 package folder and the build fails, this is why I suspect you still have that folder locally if things are still working for you. Editing the `ResXManager.csproj` again and changing the path to 1.4.9, rebuilt (keep in mind this would be the first time anything is signed and without the `-k` option) and everything went smoothly. Verified that the two signed assemblies contained the same public key which means the fix worked, they did. Also ran the ClickOnce app and it also installed correctly with no error. It appears that nothing changed because you must have still been using 1.4.8 without realizing it. If you perform a fresh build with no packages, only 1.4.9 is pulled down and the build actually fails because the path to the signer is incorrect. Change it to actually point to the 1.4.9 package and you should be good to go.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Jul 4, 2015):

The latest version in Main branch has this change to 1.4.9 - maybe you still have looked at the Feature/Test branch?
What OS are you using?

<!-- gh-comment-id:118517456 --> @tom-englert commented on GitHub (Jul 4, 2015): The latest version in Main branch has this change to 1.4.9 - maybe you still have looked at the Feature/Test branch? What OS are you using?
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 4, 2015):

Downloaded your project again and used the Main branch. Remove the -k option, restored NuGet packages, built, published and truth be told, it does not work!! I did replace your Key.snk with another one that has no password but that's irrelevant.

I verified that the fix in 1.4.9 was being applied, it is so I'm happy about that, but for some reason I cannot get that branch to work without using the -k option. Everything looks correct, the strong-name is in fact valid for all intents and purposes, the reference from Shell is correct, and the invalid friend references have been removed. This works without a problem when running normally and there is no reason it should fail the ClickOnce installation (but it does).

This is totally different to what was I explained was happening with the Feature branch which boggles my mind 😕

At least the -k option works for you in the meantime, but this should really work flawlessly without that option. I'm going to take a hard look at this and hopefully I can track down the issue, I'll post my findings here.

By the way, thanks for persisting with this. I was convinced this was resolved (as it should be) but clearly there is something weird going on.

<!-- gh-comment-id:118560824 --> @brutaldev commented on GitHub (Jul 4, 2015): Downloaded your project again and used the Main branch. Remove the `-k` option, restored NuGet packages, built, published and truth be told, **it does not work**!! I did replace your `Key.snk` with another one that has no password but that's irrelevant. I verified that the fix in 1.4.9 was being applied, it is so I'm happy about that, but for some reason I cannot get that branch to work without using the `-k` option. Everything looks correct, the strong-name is in fact valid for all intents and purposes, the reference from Shell is correct, and the invalid friend references have been removed. This works without a problem when running normally and there is no reason it should fail the ClickOnce installation (but it does). This is totally different to what was I explained was happening with the Feature branch which boggles my mind :confused: At least the `-k` option works for you in the meantime, but this should really work flawlessly without that option. I'm going to take a hard look at this and hopefully I can track down the issue, I'll post my findings here. By the way, thanks for persisting with this. I was convinced this was resolved (as it should be) but clearly there is something weird going on.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Jul 4, 2015):

Fixed in 1.5.0 and tested on your project. Seems like it's an issue with the StrongNameKeyPair internally, reusing it wasn't a good idea.

<!-- gh-comment-id:118563606 --> @brutaldev commented on GitHub (Jul 4, 2015): Fixed in [1.5.0](https://github.com/brutaldev/StrongNameSigner/releases/tag/v1.5.0) and tested on your project. Seems like it's an issue with the `StrongNameKeyPair` internally, reusing it wasn't a good idea.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Aug 1, 2015):

Sorry to say, but while 1.4.9 worked fine with my own key, 1.5.0 did not even work with this, so I had to rollback to 1.4.9.
Maybe what you are testing is only working fine on your machine?

<!-- gh-comment-id:126909041 --> @tom-englert commented on GitHub (Aug 1, 2015): Sorry to say, but while 1.4.9 worked fine with my own key, 1.5.0 did not even work with this, so I had to rollback to 1.4.9. Maybe what you are testing is only working fine on your machine?
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Aug 1, 2015):

@tom-englert The unit tests all pass and this was tested against your own ClickOnce project on my machine during development and another fresh virtual machine after release.

The changes to 1.5.0 wouldn't have affected the functionality in 1.4.9 if using your own key (review the commits it if you wish).

Not sure what else you want me to do? You need to send me a project that fails so I can identify why it doesn't work for you, otherwise I have to assume you are using it incorrectly.

<!-- gh-comment-id:126921973 --> @brutaldev commented on GitHub (Aug 1, 2015): @tom-englert The unit tests all pass and this was tested against your own ClickOnce project on my machine during development and another fresh virtual machine after release. The changes to 1.5.0 wouldn't have affected the functionality in 1.4.9 if using your own key (review the commits it if you wish). Not sure what else you want me to do? You need to send me a project that fails so I can identify why it doesn't work for you, otherwise I have to assume you are using it incorrectly.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@tom-englert commented on GitHub (Aug 2, 2015):

Tried again with 1.5.0, and this time it worked. Sorry for the confusion, maybe there was a bad signed file dangling around from previous tests...
However I never got it to work without specifying my own key with the -k option, but I'm fine with this.

<!-- gh-comment-id:127027255 --> @tom-englert commented on GitHub (Aug 2, 2015): Tried again with 1.5.0, and this time it worked. Sorry for the confusion, maybe there was a bad signed file dangling around from previous tests... However I never got it to work without specifying my own key with the -k option, but I'm fine with this.
kerem commented 2026-02-25 21:30:28 +03:00
Author
Owner
Copy link

@brutaldev commented on GitHub (Aug 2, 2015):

1.5.1 will fix this once and for all. Seems like a ordering issue that I could reproduce after a few tries. Fixing friend assembly references invalidates the signature, so the fix is to re-sign for every write (which was happening when you provide a key file but not when a key is generated). No need for you to upgrade though since you are using your own key.

<!-- gh-comment-id:127039315 --> @brutaldev commented on GitHub (Aug 2, 2015): [1.5.1](https://github.com/brutaldev/StrongNameSigner/releases/tag/v1.5.1) will fix this once and for all. Seems like a ordering issue that I could reproduce after a few tries. Fixing friend assembly references invalidates the signature, so the fix is to re-sign for every write (which was happening when you provide a key file but not when a key is generated). No need for you to upgrade though since you are using your own key.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v3.6.5
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.1
v3.5.0
v3.4.0
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.1
v3.2.0
v3.1.1
v3.1.0
v2.9.1
v2.9.0
2.7.1
2.7.0
2.6.0
2.4.0
v2.3.0
v2.2.0
v2.1.4
v2.1.3
v2.1.2
v2.1.0
v2.0.0
v1.8.0
v1.7.0
v1.6.1
v1.5.1-2
v1.5.0
v1.5.1
v1.4.9
v1.4.8
v1.4.7
v1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4
v1.3.0.0
1.2
Labels
Clear labels   
bug

   
duplicate

   
duplicate

   
enhancement

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
duplicate
duplicate
enhancement
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/StrongNameSigner#13
No description provided.