c# - "File has a different computed hash than specified in manifest" error when signing the EXE

Question

My ClickOnce installation fails with an error:

File, WindowsFormsProject.exe, has a different computed hash than specified in manifest.

I use MSBuild to generate ClickOnce deployment package. The relevant line from the build script:

<MSBuild Targets="Publish"
         Projects="WindowsFormsProject.csproj"
         ContinueOnError="false" />

The WindowsFormsProject.csproj has a Post-Build step that signs the executable, as follows:

signtool sign /a $(ProjectDir)obj$(PlatformName)$(ConfigurationName)$(TargetFileName)

The trouble is, when I look at the build log I see that the manifest is generated BEFORE the Post-Build event executes. So it's not surprising that hash codes don't match. The relevant lines from the build log:

_CopyManifestFiles:

WindowsFormsProject -> ...WindowsFormsProject.application

...

PostBuildEvent:

Successfully signed: ...WindowsFormsProject.exe

So, the questions are:

1. Is there a way to sign the assembly BEFORE the manifest is generated during the <MSBuild> task?
2. Is there a way to re-generate the manifest (and manifest only) after the build is complete so that hash codes match again?

Or, if you can think of a different solution to the problem, I'd appreciate your ideas.

Answer 1

If you are using MSBuild 4, you can use AfterTargets property to sign assembly just after it was created and before any further steps will be taken. Remove your post-build step and add this block to your project instead:

<Target Name="SignOutput" AfterTargets ="CoreCompile">
  <PropertyGroup>
    <TimestampServerUrl>http://timestamp.verisign.com/scripts/timstamp.dll</TimestampServerUrl>
  <ApplicationDescription>Foo bar</ApplicationDescription>
  <SigningCertificateCriteria>/sha1 578a9486f10ed1118f2b5f428afb842e3f374793</SigningCertificateCriteria>
  </PropertyGroup>
  <ItemGroup>
    <SignableFiles Include="$(ProjectDir)obj$(PlatformName)$(ConfigurationName)$(TargetName)$(TargetExt)" />
  </ItemGroup>
  <GetFrameworkSdkPath>
          <Output
              TaskParameter="Path"
              PropertyName="SdkPath" />
  </GetFrameworkSdkPath>
    <Exec Command="&quot;$(SdkPath)binsigntool&quot; sign $(SigningCertificateCriteria) /d &quot;$(ApplicationDescription)&quot; /t &quot;$(TimestampServerUrl)&quot; &quot;%(SignableFiles.Identity)&quot;" />
</Target>