"File has a different computed hash than specified in manifest" error when signing the EXE

c# msbuild clickonce msbuild-task
Alex picture Alex · Sep 21, 2012 · Viewed 8.8k times · Source

My ClickOnce installation fails with an error:

File, WindowsFormsProject.exe, has a different computed hash than specified in manifest.

I use MSBuild to generate ClickOnce deployment package. The relevant line from the build script:

<MSBuild Targets="Publish"
         Projects="WindowsFormsProject.csproj"
         ContinueOnError="false" />

The WindowsFormsProject.csproj has a Post-Build step that signs the executable, as follows:

signtool sign /a $(ProjectDir)\obj\$(PlatformName)\$(ConfigurationName)\$(TargetFileName)

The trouble is, when I look at the build log I see that the manifest is generated BEFORE the Post-Build event executes. So it's not surprising that hash codes don't match. The relevant lines from the build log:

_CopyManifestFiles:

WindowsFormsProject -> ...\WindowsFormsProject.application

...

PostBuildEvent:

Successfully signed: ...\WindowsFormsProject.exe

So, the questions are:

  1. Is there a way to sign the assembly BEFORE the manifest is generated during the <MSBuild> task?
  2. Is there a way to re-generate the manifest (and manifest only) after the build is complete so that hash codes match again?

Or, if you can think of a different solution to the problem, I'd appreciate your ideas.

Answer

Dmitriy Konovalov picture Dmitriy Konovalov · Dec 20, 2012

If you are using MSBuild 4, you can use AfterTargets property to sign assembly just after it was created and before any further steps will be taken. Remove your post-build step and add this block to your project instead:

<Target Name="SignOutput" AfterTargets ="CoreCompile">
  <PropertyGroup>
    <TimestampServerUrl>http://timestamp.verisign.com/scripts/timstamp.dll</TimestampServerUrl>
  <ApplicationDescription>Foo bar</ApplicationDescription>
  <SigningCertificateCriteria>/sha1 578a9486f10ed1118f2b5f428afb842e3f374793</SigningCertificateCriteria>
  </PropertyGroup>
  <ItemGroup>
    <SignableFiles Include="$(ProjectDir)obj\$(PlatformName)\$(ConfigurationName)\$(TargetName)$(TargetExt)" />
  </ItemGroup>
  <GetFrameworkSdkPath>
          <Output
              TaskParameter="Path"
              PropertyName="SdkPath" />
  </GetFrameworkSdkPath>
    <Exec Command="&quot;$(SdkPath)bin\signtool&quot; sign $(SigningCertificateCriteria) /d &quot;$(ApplicationDescription)&quot; /t &quot;$(TimestampServerUrl)&quot; &quot;%(SignableFiles.Identity)&quot;" />
</Target>

Related questions

How do you get the current project directory from C# code when creating a custom MSBuild task?

Instead of running an external program with its path hardcoded, I would like to get the current Project Dir. I'm calling an external program using a process in the custom task. How would I do that? AppDomain.CurrentDomain.BaseDirectory just …

Read More
The CodeDom provider type "Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider" could not be located

It's a WebApi project using VS2015. Step to reproduce: Create an empty WebApi project Change Build output path from "bin\" to "bin\Debug\" Run Everything is working perfectly until I changed Build Output path from "bin\" to "bin\Debug\" In …

Read More
NuGet behind a proxy

I figure out that NuGet allows proxy settings configuration since 1.4 version. But, I can't find any command line example. I'm trying to run some build and NuGet can't connect. How do I configure the proxy settings on the command line?

Read More