Skip to content

Default publisher name may result in a failed ClickOnce installation #765

New issue
New issue
Open
Open
Default publisher name may result in a failed ClickOnce installation#765

Description

@MH-ZShearer

MH-ZShearer
openedon Sep 27, 2024

Describe the bug

 
When signing a ClickOnce package without --publisher-name, the publisher information from the certificate may be too long. No messages are logged by sign indicating something may be amiss. mage verified the manifest, but when attempting to install in Windows Sandbox, the following exception is reported:

ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of C:\Users\WDAGUtilityAccount\Desktop\HCS.application resulted in exception. Following failure messages were detected:
		+ The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.

There were no relevant details later in the log.

Repro steps

https://github.com/MH-ZShearer/SignedClickOnce is a barebones .NET 6 WinForms application that has a simple ClickOnce publish profile configured.

Our certificate's Subject, which got used as the Publisher somehow, looks like this:

E=software@mhforce.com, CN=Morehouse Instrument Company, O=Morehouse Instrument Company, L=York, S=Pennsylvania, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Pennsylvania, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=238776, OID.2.5.4.15=Private Organization

ClickOnce Releases

  • Unsigned
  • Signed, Unspecified Publisher
    • sign code azure-key-vault ".\SignedClickOnce\bin\publish\SignedClickOnce.application" -kvu <VaultURI> -kvc <VaultCert>
  • Signed, Specified Publisher
    • sign code azure-key-vault ".\SignedClickOnce\bin\publish\SignedClickOnce.application" -kvu <VaultURI> -kvc <VaultCert> -pn "Morehouse Instrument Company"

Expected behavior

A warning, or even an informational log, message stating that a Publisher longer than maybe 50 characters may cause issues due to ClickOnce limitations. According to the below message, this may also be relevant for the product name as well.

Actual behavior

No notice that something could have been wrong, even with trace logging.

Additional context

The following exception came from the above Repro steps using our certificate. This is what ultimately led me to uncover the issue. I'm still unsure why I received different errors, or why this shows that the deployment manifest is not semantically valid.

ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of C:\Users\WDAGUtilityAccount\Desktop\SignedClickOnce.application resulted in exception. Following failure messages were detected:
		+ Exception reading manifest from file:///C:/Users/WDAGUtilityAccount/Desktop/SignedClickOnce.application: the manifest may not be valid or the file could not be opened.
		+ Deployment manifest is not semantically valid.
		+ Publisher and/or Product name in the deployment manifest must be less than 260 characters.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Priority:3Work that is nice to haveinvestigate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions