Security Risks of Unsigned ClickOnce Manifests

Posted by Tom Tom on Programmers See other posts from Programmers or by Tom Tom
Published on 2013-06-26T16:29:23Z Indexed on 2013/06/26 22:29 UTC
Read the original article Hit count: 399

Filed under:
|
|
|

Using signed manifests in ClickOnce deployments, it is not possible to modify files after the deployment package has been published - installation will fail as hash information in the manifest won't match up with the modified files. I recently stumbled upon a situation where this was problematic - customers need to be able to set things like connection strings in app.config before deploying the software to their users.

I got round the problem by un-checking the option to "Sign the ClickOnce manifests" in VS2010 and explicitly excluding the app.config file from the list of files to have hashes generated during the publish process.

From a related page on MSDN

"Unsigned manifests can simplify development and testing of your application. However, unsigned manifests introduce substantial security risks in a production environment. Only consider using unsigned manifests if your ClickOnce application runs on computers within an intranet that is completely isolated from the internet or other sources of malicious code."

In my situation, this isn't an immediate problem - the deployment won't be internet-facing. However, I'm curious to learn what the "substantial security risks" of what I've done would be if it was internet-facing (or if things changed and it needed to be in the future).

Thanks in advance!

© Programmers or respective owner

Related posts about .NET

Related posts about security