Windows 8 and ClickOnce : the definitive answer revisited

Since I posted the article titled Windows 8 and Click Once: the definitive answer, it became clear that it was not actually the definitive answer.

I got a ping on twitter from Phil Haack from GitHub telling me that this did not fix their Smart Screen filter problem.

After talking to him, and seeing his build and signing commands, I discovered they recently changed their signing certificate. For those of you who remember the early days of ClickOnce (2005) when you changed the signing certificate and everybody had to uninstall and reinstall the application, this seemed too likely an indicator to ignore.


I didn’t talk in my article about “reputation” (and I should have, so I duly apologize here for that). In my first conversations with Microsoft, they mentioned that an application had a reputation, and this reputation had some bearing on the appearance of the Smart Screen Filter, and this reputation was built based on how many people had installed your application.

When I asked how many people had to install your application before the Smart Screen filter stopped interrupting the running of the application, I could not get a clear answer. Of course, this makes sense that they wouldn’t want to make their algorithm public, because you could publish your app, install it X number of times yourself, and make it reputable. (I’m not suggesting you do that, but if you do, please post back and tell us your results. Inquiring minds want to know.)

Since we’ve been in business for a few years, and have well over a thousand customers (probably thousands) who have installed the desktop application, this didn’t impact us. The reason I didn’t mention it in the blog post is because I created a new Windows Forms test application and deployed it solely for the purpose of testing the information in the article, and had no problem with the Smart Screen Filter. I installed the application maybe a dozen times while messing with the build commands, so I figured, “Wow, the number of installs required is pretty small.” Haha!

So on behalf of Phil, I pinged my contact at Microsoft, and he went off to investigate. After a bit of research, he found some information internal to Microsoft. I won’t quote it directly in case I shouldn’t, but the gist of it was this: The digital certificate information may be taken into account when determining the reputation of the application. A-HA! I thought to myself (and immediately started humming that song, “Take On Me”.)

So the problem at GitHub is probably due to the certificate being updated right about the same time they start signing their assembly for customers using Windows 8. I expect that fairly soon, as people install or get updates (if they are using automatic updates), their reputation will be sterling and nobody will ever see the Smart Screen Filter again when installing GitHub.

Knowing this, it makes sense that my test application didn’t get stopped even though it was a brand new application. I signed it with my company’s signing certificate, which has been in use for several months.

Which leads me to another issue I noticed when talking to Phil. I noticed that rather than using PostBuild or BeforePublish commands, he was using AfterCompile commands to sign his executable. I asked him about it.

PostBuild, BeforePublish, and AfterCompile, oh my!

Apparently when Phil signs his executable using PostBuild or BeforePublish commands, when the user installs it, he gets the dreaded “exe has a different computed hash than specified in the manifest” error. He found that using AfterCompile instead fixed the problem.

I went back to Microsoft, and they soon verified the problem, and said it is due to WPF applications having a different set of targets and execution order, so the standard AfterBuild/BeforePublish commands don’t quite work. So the bottom line is this: The signing of the exe doesn’t work right with BeforePublish or PostBuild if you are using VS2012 and you have a WPF application. In that case, you must use AfterCompile. So in the original post, use case #3, but put in AfterCompile instead of BeforePublish.

If you are using VS2010, OR you have a Windows Forms or Console application, you can use PostBuild or BeforePublish with no problem.

Hopefully we now have the definitive answer to handling the Smart Screen filter and signing a ClickOnce application that will be run on a Windows 8 machine.

Thanks to Zarko Hristovski and Paul Keister, who also reported the problem with the BeforePublish command, and who verified that AfterCompile worked for them. Thanks to Phil Haack for the answer to a problem I didn’t know existed yet. And thanks to Saurabh Bhatia at Microsoft for his help with Windows 8 and ClickOnce.

38 Responses to “Windows 8 and ClickOnce : the definitive answer revisited”

  1. Windows 8 and ClickOnce : the definitive answer | RobinDotNet's Blog Says:

    […] this article, I heard from a couple of people who were still having problems. Please check out the next blog article about this if you are still having problems with the Smart Screen filter, or getting the dreaded “exe has a […]

  2. Steve Cadwallader Says:

    Thanks for the ClickOnce articles – they were very helpful. 🙂

    FWIW – I found that AfterCompile would sign the .exe but it would get overwritten by a later stage. BeforePublish works for me on a WPF VS2012 application.

    • robindotnet Says:

      That’s really odd. I’ll pass that on to Microsoft just so they know. Glad you got it to work!

      • Steve Cadwallader Says:

        As a follow-up — I found this was actually due to our use of Microsoft Code Contracts which performs IL manipulation. It must be using the AfterCompile target as well. Once I took Code Contracts out (because it was making the signature process with MSBuild publishing a nightmare), I was able to use the AfterCompile target like you mentioned.

  3. TriSys (@TriSys) Says:

    Thanks for posting 2 great articles, however I am still getting the “Windows protected your PC” Publisher: Unknown Publisher “Run anyway” popup.
    My signtool (wrapped in a .bat) works great – I can see the output – I have these in my project file:

    I have ran out of time and my Windows 8 users will just have to live with this for longer!

    • robindotnet Says:

      If it says unknown publisher, then either your deployment is not signed, your executable is not signed, or your certificate is not from a valid CA like Verisign. You can check the executable by looking at its properties.

  4. mike Says:

    I’m seriously getting tired of the silly SmartScreen filter…

    My installer is signed. My primary .exe is signed. Both with a code-signing cert from GoDaddy.

    SmartScreen catches both of them. In fact, right now I’m looking at “Windows SmartScreen prevented an unrecognized app from starting.” Right under that? The publisher name from my cert.

    I get that reputation is involved, but this is tough to explain to my client. :-\

    • robindotnet Says:

      I feel your pain.

      One thing to note is that when creating the reputation, all installations and updates count towards that, not just installations on Windows 8. We had over a thousand active customers when I put this change in. It was shortly after Windows 8 came out, so I doubt any of our customers were running Windows 8. Yet it only took a day or so for the reputation to kick in. Reputation is tied to the signing certificate, so another interesting aspect is if you change your certificate, you have to garner reputation again. This was brought to my attention by Phil Haack at GitHub, whom I helped with this issue. So I don’t know how much of ours was built before I put in this change because our signing certificate was current.

      I agree that it seems unfair for us to jump through all the hoops and buy signing certificates and sign the exe files, etc., and then still have the smart screen stop the installation of our applications because of a “reputation” that we can neither define nor impact. I hope people keep leaving comments here, because I know Microsoft has read them at least once, and I have made them aware of the feedback around this issue.


  5. Charlie Says:

    I followed your previous post, but got the “invalid hash” error even though it was a WinForms application. So I changed it to AfterCompiler to get past that and now I have a signed deployment, signed executable and got rid of the Mr. “Unknown Publisher”.

    However, I still get SmartScreen popping up with the warning (even though it has the right publisher if I clicked “more info”).

    All in all it’s a terrible user experience. Both for the developer and the user. I tried it on several test subjects who hadn’t used Windows 8 and none of them clicked more info. They click OK and then get confused that they can’t run the application.

    Absolute waste of a certificate and ClickOnce development time.

    • robindotnet Says:

      I feel your pain. As noted in this article, you have to build “reputation”, which you can neither define nor impact, and it’s frustrating. I don’t know how large your user base it, but once you’ve got enough people who have installed or upgraded the application, the smart screen filter WILL go away. Until it does, you will have to educate your customers to click the “more info” link. I am sending all feedback about this issue to Microsoft, so they are well aware how annoyed people are.

      For me, the benefits of ClickOnce still outweigh the costs — being able to control the version the customer runs is invaluable, especially when database updates are involved in a new release.

      Good luck,

  6. Florian Says:

    I am using AfterCompile to sign my program and I sign my $(ProjectDir)obj\Release\Program.exe. I can verify that the file gets the digital signature. My setup.exe gets a signature too. But If I install the program I get a Smartscreen saying that Program.exe’s publisher is unknown. My .application files are not signed, do I need to sign them too?

    • robindotnet Says:

      You need to sign the executable and both manifests. You can do this by publishing through VS (with the right settings in the Signing tab) or using Mage or MageUI. You have to have a certificate purchased from a verified Certificate Authority such as VeriSign. You can not sign it with a test certificate created in Visual Studio and get rid of the “Unknown Publisher”.

  7. Slade Says:

    Neither the AfterCompile and BeforePublish options work for me with WPF application in VS2012. I still get the mismatch error on installation. Is this fixed in VS2013?

    • robindotnet Says:

      I assume you mean that your application is still getting caught by the Smart Screen filter. Did you check your exe to make sure it is signed? If it is, you still have to build up reputation as noted in the article.

  8. Slade Says:

    No I thought it was not working at all,but I re-checked and found that the AfterCompile method does work for me on VS2012 and VS2013, the exe is signed and no mismatch hash on install.
    Thanks for your post.

  9. John Says:

    This was all a huge help, thanks. It got me most of the way there. In our environment, we are using PostSharp, which seems to rebuild the .exe. So, the timing of the AfterCompile target was not quite right for us. So, we are using BeforeTargets=”GenerateApplicationManifest” instead, like this:

    (We also had trouble with the task and DigiCert in VS 2013, so we had to use .)

  10. Richard Hammond Says:

    I followed your first article and applied the signing post-build … everything worked fine (unbelievably considering I use Microshit’s products) By this, I mean the Smart Screen filter did not interrupt my installation as it had done.

    Then … my certificate expired (it was a Comodo one-year ‘dipping my toe into the water tester’) and I forked out my hard-earned cash for a 3-year certificate again from Comodo. Now (!!) the effing Smart Screen filter – which I believed I had banished forever – consistently and constantly interrupts my installation process.

    The installation .exe is signed (using your post-build technique), the publisher is known (its me), I have paid out $300 for a 3-year certificate to prove I am legit, BUT those poxy, interfering, nose-picking, spotty-faced kids at Microshit STILL think they should have the power to interfere with MY installation !!!! They should take their Stupid Screen ‘reputations’ and shove them internally where the sun don’t shine!!!! Who T F do they think they are? God? More than God? Better than God??? God++?????

    How do I build a reputation? Why should I chase their ‘reputation’ target? Where is it held? How do I find out what my ‘reputation’ is??? Edward Snowden …. please sort these effing stupid interfering see-you-next-tuesdays out!!!!!!!!!!

    • robindotnet Says:

      People want Microsoft to make their OS and their products secure, until it’s inconvenient. You can’t have it both ways. I agree that catching installations in the Smart Screen Filter is a giant p.i.t.a. and I have provided that feedback to Microsoft repeatedly, but in less offensive terms. They purposely do not publish the criteria for establishing a reputation because you could write a program to fulfill the requirements. I don’t think the requirements are stringent, because where I used it, we probably didn’t have more than a hundred people actually use the application before the reputation was built. (I didn’t do metrics on it, though.) Good luck.

  11. Anup Says:

    This is really very well explained article. Very nicely explained. I just went through the steps and applied to resolve the same issue with Smart Screen Filter. Thanks a lot!!!

  12. motovb Says:

    Thanks a lot!!!

  13. Nycoss Says:

    Thanks a lot! Winform application / Comodo certificate => 3/ method with “AfterCompile”.
    I’ve got the Smart Screen Filter but it shows the correct publisher straight away, no need to click on “more info” (Is it because of Windows 8.1?)

    • robindotnet Says:

      It should show the correct publisher. That’s separate from the issue with the Smart Screen Filter catching it and asking the user to click ‘More Info’ to go ahead and install it. If you’ve made it past this, then somehow your app with that certificate has built up enough reputation to be trusted. Don’t look a gift horse in the mouth. 😉

  14. Jay Says:

    So even if you have an signed .exe with your application certificate you will still get the smartscreen message until Microsoft deems your app is safe?


    • robindotnet Says:

      Yes, until you have built “reputation”, which pretty much means an undefined number of people have installed it. This is, of course, assuming you are using a certificate from a certificate authority such as VeriSign and not a self-created certificate from Visual Studio. I don’t think the bar is very high for building the reputation, but they wouldn’t disclose any more information about it.

  15. Steve Says:

    Thanks very much for so much effort. Do you have any updates with regard to W10 and IE11 or Edge?

    • robindotnet Says:

      As far as I know, they should continue to work the same. To be honest, I haven’t tested it in Edge yet. Has anyone tested Click Once with W10 and Edge? Any issues? Let me know, and I’ll get them reported to the right person.

      • Dave Says:

        Installing via Windows 10 and Edge works, for us anyway, without any issues. After about ten downloads with a new certificate the ‘this software is not commonly downloaded’ warning from Edge, and the blue warning screens for both the installing exe and the application exe from the OS go away.

  16. Jeff Pigott Says:

    Hi Robin, hate to reach out to you unless I have a doozie…I have been working fine with clickonce for years with the postbuild command using VS 2010, my issue now is with the newer certs from Verisign/Symantec that are SHA256. They are saying we may need to double sign them. Have you ran across this?

    Also has anyone received a error 123 with VS 2015. The same project works in VS 2010/2013 and will sign the .exe, but fails to do the post build command with VS 2015.

    Unless this is a problem with reputation being a new SHA256 key, but the same app name and company name?

    Any ideas?



  17. Dave Says:

    I hope this is not going to be another major mess where they have changed the rules again!!

    We currently have a SHA-1 certificate that runs out in June, but over the last few weeks our users on Win 10 have been getting the ‘are you sure?’ smart screen message. I put it down to SHA-1, having just gone through a painful upgrade with our Domino Mail Server to SHA-2

    With a new project ready to go out towards the end of this month we planned on getting a new SHA-2 code signing cert and it not biting us back. From what you are saying this could be a fun month 🙂

    I’m off to see if I can order my brandy in bulk!

    Thanks for posting a heads up!

    • robindotnet Says:

      Microsoft converted to SHAH-2 a couple of years ago. To be honest, I’m surprised you can still even use a SHAH-1 certificate. As noted in this article, the smart screen has little to do with the actual application. If you’re signing with a valid (i.e. not self-generated) code-signing certificate, you’re still going to get that screen until the app and certificate have built up reputation that tells the smart screen filter to trust you.

      • Dave Says:

        As ‘enquiring minds like to know’ it would appear the ‘reputation’ kicks in after 10 or less downloads – for most providers this would typically be hit during production, but updating the certificate on release software is where it could be painful (for a short while)

  18. Jeff Pigott Says:

    Robin, just worked with MS and in VS 2015 Update 2, their is no need to worry about the post-Build option as VS now signs the \obj\xxxx.exe for us!!! Finally!!!

  19. Jeff Pigott Says:

    One other side note for people that would be doing a custom version of VS 2015 install, make sure you click the ClickOnce checkbox options.

    One frustrating thing is that if you bounce between VS 2013 and 2015, you would need to remember to REMOVE the post build option for VS 2015 to remove the error that occurs. Just as if you were in VS 2015, you would need to make sure to add the post build command for 2013, 2012, or 2010.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: