Clickonce downloading the deploy files via HTTP and not HTTPS
- by Scott Manning
I am working on a project to deploy a project via clickonce. The website where these files are housed will only accept HTTPS traffic and if you attempt to connect via HTTP, our siteminder agent will redirect you to a HTTPS login form. We cannot disable the siteminder agent or enable HTTP for security reasons.
In the application file, I have a codebase that references an absolute path to the manifest and it is via HTTPS
<dependency>
<dependentAssembly dependencyType="install" codebase="https://psaportal.ilab.test.com/testprinting/Application_Files/testprint_1_0_0_1/testprint.exe.manifest" size="10147">
<assemblyIdentity name="testprint.exe" version="1.0.0.1" publicKeyToken="9a078649ee05e0e7" language="neutral" processorArchitecture="msil" type="win32" />
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>2nch1T0SmlAycmePobtg9F1qF7c=</dsig:DigestValue>
</hash>
</dependentAssembly>
</dependency>
In running wireshark and decoding the SSL traffic (I am using the server’s private key in wireshark to decrypt the SSL traffic). I see the request to the application’s manifest file is via HTTPS (This is a good thing). But when the clickonce tries to download the testprint.exe.deploy and the other respective files, it is always via HTTP and the siteminder jumps in and redirects the requests which kills the clickonce install with errors.
I have tried to specific an absolute codebase reference in the manifest file, but then I start getting entrypoint errors when the manifest is downloaded by the Clickonce installer.
The current dependency section from the manifest file looks like the following:
<dependency>
<dependentAssembly dependencyType="install" allowDelayedBinding="true" codebase="testprint.exe" size="107008">
<assemblyIdentity name="testprint" version="1.0.0.1" language="neutral" processorArchitecture="msil" />
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>dm2nJsu/5UyaEXSDmnISwfnE9MM=</dsig:DigestValue>
</hash>
</dependentAssembly>
</dependency>
I have verified that the website where the application, manifest and deploy files are all under the same URL and the SSL certificate is a valid certificate.
We have tried about every combination of generating application and manifest files as we a dream up and are looking for other solutions.
The application is using .NET 3.5 and we have tried building the application and manifest files via VS2008, VS2010 and mage with no success.
Does anyone know how to get all of the deploy files to always download via HTTPS?