Signing a VSTO Excel add-in targeting the .NET Framework 4.0 using SHA-2 certificate

Question

Signing a VSTO Excel add-in targeting the .NET Framework 4.0 using SHA-2 certificate

I have a VSTO 2010 Excel add-in designed for the .NET Framework 4.0, Visual Studio 2010.

Over the past few years, we have used the SHA-1 certificate to sign manifest and assemblies. The application has been deployed to many end users. Now that the SHA-1 redemption policy has come into effect in January 2016, the renewed certificate issued by the CA is being used using SHA-256.

Please view the files created when creating the VSTO Excel 2010 add-in using various versions of Visual Studio:

NOTE. The certificate used for all of the following cases is used using the SHA-2 algorithm.

.VSTO created by VS 2010 SP1, Target Framework 4.0:

The DigestMethod algorithm mentioned for dependentAssembly hash is SHA1, even when the SHA2 certificate was used.

 <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="18274"> <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.1" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" /> <hash> <dsig:Transforms> <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue> </hash> </dependentAssembly>

The publisherIdentity tag uses SignatureMethod and DigestMethod SHA256 , which is consistent with the certificate algorithm.

 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" /> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

.VSTO, created by VS 2013 SP4 and VS 2015, Target Framework 4.0:

Please note that the algorithm specified in the <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> , SHA1 . This is the same as for VS 2010.

 <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058"> <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" /> <hash> <dsig:Transforms> <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue> </hash> </dependentAssembly>

Similarly, the publisherIdentity tag SignatureMethod and DigestMethod still use SHA1 . To build the .vsto file using VS 2010 and VS 2013 SP1 here is SHA2 .

 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

Will this work / be supported even after January 2016/17?

. VSTO, created by VS 2013 SP4 and VS 2015, Target Framework 4.5.2:

Please note that the algorithm specified in the <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" /> , SHA2 .

 <dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058"> <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" /> <hash> <dsig:Transforms> <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" /> <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue> </hash> </dependentAssembly>

SignatureMethod and DigestMethod now specify the SHA2 algorithm.

 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha2" /> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" />

It seems that the update in VS 2013 SP3 (also available on VS 2015) uses / applies the algorithm in accordance with the target .Net Framework.

For .Net Framework 4.0, the DigestMethod and SigntureMethod methods are always SHA1, regardless of the certificate used. The add-in now works on a machine that has only .NET 4.0, since the VSTO / clickonce bootloader has nothing to do with SHA2 at all.

So, considering that SHA-2 certificates should be used from January 2016, what should be the configuration used to sign the SHA-2 add-in?

VS 2010, .Net Framework 4.0 and SHA-2 certificate (does not work without .NET Framework 4.5 or later installed on the computer)
VS 2015, .Net Framework 4.0 and SHA-2 certificate (this is no different from using SHA-1 certificates. VSTO files have only SHA-1 records, are not sure if this will work after January 2016)
VS 2015, .Net Framework 4.5.2 and SHA-2 certificate (not suitable for me. I need to save the target structure as 4.0)

I am installing Excel add-ins on computers offline. They are always loaded from the file system.

 [HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\ExcelAddin1] "Description"="ExcelAddin1 - COM add-in created with Visual Studio Tools for Office" "FriendlyName"="ExcelAddin1" "Manifest"="file:///C:/published/Addins/ExcelAddin1.vsto|vstolocal" "LoadBehavior"=dword:00000003

Thanks.

+5

excel .net-4.0 vsto digital-signature sha256

CS Dec 24 '15 at 14:23

source share

No one has answered this question yet.

See related questions:

344

Differences between the full Microsoft.NET 4.0 platform and the client profile

208

Why do I get "Could not find the signing certificate manifest in the certificate store" in Excel Addin?

6