Home » excel » Signing a VSTO Excel Add-in, targeting .NET Framework 4.0, using a SHA-2 certificate

Signing a VSTO Excel Add-in, targeting .NET Framework 4.0, using a SHA-2 certificate

Posted by: admin April 4, 2020 Leave a comment

Questions:

I have a VSTO 2010 Excel add-in, targeting .Net Framework 4.0, Visual Studio 2010.

We were using a SHA-1 certificate for the past few years for signing the manifest and the assemblies. The application has been deployed for a lot of end-users. Now with the SHA-1 deprecation policy coming into effect from January 2016, the renewed certificate that has been issued by the CA is keyed using SHA-256.

Please have a look at the files generated by building a Excel 2010 VSTO Add-in, using various versions of Visual Studio:

NOTE: The certificate used for all the following cases is keyed using SHA-2 algorithm.

.VSTO generated by VS 2010 SP1, Target Framework 4.0:

The DigestMethod Algorithm mentioned for the dependentAssembly‘s hash is SHA1, even when SHA2 certificate was used.

<dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="18274">
    <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.1" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
    <hash>
        <dsig:Transforms>
            <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
    </hash>
</dependentAssembly>

Under publisherIdentity tag, the SignatureMethod and the DigestMethod used is SHA256, which is according to the certificate’s algorithm.

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

.VSTO generated by VS 2013 SP4 and VS 2015, Target Framework 4.0:

Please note the algorithm mentioned in <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> tag is SHA1. Which is same as what gets generated by VS 2010.

<dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058">
    <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
    <hash>
        <dsig:Transforms>
            <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
    </hash>
</dependentAssembly>

Similarly, under publisherIdentity tag, SignatureMethod and DigestMethod are still using SHA1. The .vsto file build using VS 2010 and VS 2013 SP1 are having SHA2 here.

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

Will this work/be supported even after January 2016/17?

.VSTO generated by VS 2013 SP4 and VS 2015, Target Framework 4.5.2:

Please note the algorithm mentioned in <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" /> tag is SHA2.

<dependentAssembly dependencyType="install" codebase="ExcelAddIn1.dll.manifest" size="16058">
    <assemblyIdentity name="ExcelAddIn1.dll" version="1.0.0.0" publicKeyToken="2142698160a31911" language="neutral" processorArchitecture="msil" type="win32" />
    <hash>
        <dsig:Transforms>
             <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
        </dsig:Transforms>
        <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" />
        <dsig:DigestValue>DIGEST VALUE</dsig:DigestValue>
    </hash>
</dependentAssembly>

SignatureMethod and DigestMethod are now indicating SHA2 algorithm.

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha2" />

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha2" />

It seems that the update in VS 2013 SP3 (also available in VS 2015) is using/enforcing the algorithm as per the .Net Framework being targeted.

For .Net Framework 4.0, the DigestMethod and SigntureMethod are always SHA1, irrespective of the certificate used. Now the add-in works on machine having only .Net 4.0 as the VSTO/clickonce loader does not have to deal with SHA2 at all.

So, considering that SHA-2 certificates have to be used starting January 2016, what should be the configuration used for signing the add-in with SHA-2 certificate?

  1. VS 2010, .Net Framework 4.0 and SHA-2 certificate (Does not work without .Net Framework 4.5 or newer installed on the machine)

  2. VS 2015, .Net Framework 4.0 and SHA-2 certificate (This is no different from using SHA-1 certificates. The VSTO files have only SHA-1 entries, not sure whether this will work after January 2016)

  3. VS 2015, .Net Framework 4.5.2 and SHA-2 certificate (Not suitable for me. I need to keep the target framework as 4.0)

I am installing the Excel add-ins on machines offline. They are always loaded from the file system.

[HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\ExcelAddin1]
"Description"="ExcelAddin1 - COM add-in created with Visual Studio Tools for Office"
"FriendlyName"="ExcelAddin1"
"Manifest"="file:///C:/published/Addins/ExcelAddin1.vsto|vstolocal"
"LoadBehavior"=dword:00000003

Thank you.

How to&Answers: