How to update manifest from sha1 to sha256?

Question

I have project on Visual Studio 2010 , C# , .NET Framework 3.5 , VSTO Excel COM-Addin . Recently one of clients added requirements: need to be sign with certificate. I bought "EV Certificate" from Sectigo, I can sign my whole setup, exe, .dll and etc. But then I try to Project --> Properties --> "Sign the ClickOnce manifests" with this certificate I can't even run project. I receive error pasting below.

It's my first experience with Certificates. And seems my Project is using sha1 which is deprecated from 2017. How can I update my project to sha256 ?

In Manifest for eg I see:

<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1/> <dsig:DigestValueBjwCX1w9SEEN4XGlQJVNJgdAr24=</dsig:DigestValue>

Error code:

Exception reading manifest from file:///C:/Users/...vsto: the manifest may not be valid or the file could not be opened.

************** Exception Text **************
System.Deployment.Application.InvalidDeploymentException: Exception reading manifest from file:///C:/Users/...vsto: the manifest may not be valid or the file could not be opened. ---> System.Deployment.Application.InvalidDeploymentException: Manifest XML signature is not valid. ---> System.Security.Cryptography.CryptographicException: SignatureDescription could not be created for the signature algorithm supplied.
   at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignatureReturningKey(AsymmetricAlgorithm& signingKey)
   at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags)
   at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
   --- End of inner exception stack trace ---
   at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
   at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()

Answer 1

Visual Studio 2010 (and VSTO for Framework 3.5) do not understand SHA256 certificates. You need to upgrade your Visual Studio and migrate your project to the current version of VSTO, then it will "just work".

Answer 2

This is an old question and I guess (hope) you found a solution long time ago. But I'll post my opinion here in case somebody else is stumbling on this in the future. If you are stuck with an earlier version of VS, maybe you can try not singning the clickonce manifest in VS but externally, using mage.exe or mageui.exe from a newer version. But keep in mind the Clickonce infrastructure in older .Net Frameworks running on your clients computer will not support SHA256, so you migh need to target .Net framework 4.0 or 4.5 because .Net 3.5 might not be able to recognise SHA256 signatures. Try first without using a timestamp server and make sure the publisher is recognised and then use a timestamp server and check once again if the publisher in shown correct when installing the app on a client computer (I noticed that using Comodo / Sectigo timestamp server will not work (results in "Unknown Publisher") but you can use any other timestamp server).