Voice from the field

VSTO Addin signed with SHA256 fail to load

April 13 2016

The VSTO Addin, which is correctly signed and distributed by MSI installer, has fail within several weeks after installation.

 

The exception actually has influents of the solution of how addin is activated inside of the Word and Word has internal mechanism to solve this type of problem by offering user a warning and activate ClickOnce dialog.

 

However, it does not happened in the current solution. The solution specifics have Addin disabled if the Word run by user and enabled the Addin when the user run some application.

 

System.Security.SecurityException: Customized functionality in this application will not work because it has not been granted trust. The certificate used to sign the deployment manifest is unknown, and the customization itself (Somecompany.AddIn) is not on the inclusion list. Contact your administrator for further assistance.

   at Microsoft.VisualStudio.Tools.Office.Runtime.OfficeAddInDeploymentManager.VerifyAddInTrust(ClickOnceAddInTrustEvidence evidence)

   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)

   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

The Zone of the assembly that failed was: MyComputer

 

In Word's "Trusted center", the Addin's publisher provide valid SHA256 sign and has been set up as trusted publisher.

 

The certificates is also imported successful in trusted storage.

Word ignored the settings of checking addin's sign.

 

 

 

The fix was found by mimic what ClickOnce installer actually do.  

One of the important part of the installation is adding inclusion for Office VSTO security.

 

HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion

You have to add new registry key with name of any new GUID and values from .VSTO file.

 

The registry key need to have two string values.

"PublicKey" with content copied from following path of .vsto file

Assembly\Find Signature\KeyInfo\KeyValue

 

 

Then "url" with value of full path to the .vsto file.

 

Final example should looks like following example