Security Risks of Unsigned ClickOnce Manifests
- by Tom Tom
Using signed manifests in ClickOnce deployments, it is not possible to modify files after the deployment package has been published - installation will fail as hash information in the manifest won't match up with the modified files. I recently stumbled upon a situation where this was problematic - customers need to be able to set things like connection strings in app.config before deploying the software to their users.
I got round the problem by un-checking the option to "Sign the ClickOnce manifests" in VS2010 and explicitly excluding the app.config file from the list of files to have hashes generated during the publish process.
From a related page on MSDN
"Unsigned manifests can simplify development and testing of your
application. However, unsigned manifests introduce substantial
security risks in a production environment. Only consider using
unsigned manifests if your ClickOnce application runs on computers
within an intranet that is completely isolated from the internet or
other sources of malicious code."
In my situation, this isn't an immediate problem - the deployment won't be internet-facing. However, I'm curious to learn what the "substantial security risks" of what I've done would be if it was internet-facing (or if things changed and it needed to be in the future).
Thanks in advance!