How to Sign ClickOnce Manifests with Visual Studio using the KSP Library?

Code Sign Clickonce Manifests

A Key storage Provider (KSP) library is important in signing ClickOnce manifest with Visual Studio when you require a greater level of key protection and a state of the art cryptography.

I have personally observed a great deal of migrations of teams that were previously using CSP-based certificates to KSP-based certificates due to the support of modern hardware security modules (HSMs), smart cards, and secure key storage.

When you use ClickOnce to deploy Windows desktop applications, signing manifests are used to provide authenticity and integrity. Users will be warned, or worst still, fail to install your application when they are not signed properly.

The fact that a KSP-backed certificate is used is an added security since the private key is not exported and is instead stored in secure storage.

Step-by-Step Process to Sign ClickOnce Manifests in VS using KSP Library

The steps to follow in signing ClickOnce manifests in Visual Studio using a KSP library are documented sequentially as stated below:

Step 1: Knowledge of the purpose of KSP in ClickOnce Signing.

It is useful to understand why KSP is important before beginning to do it.

Historical certificates had CSP (Cryptographic Service Provider).

Key Storage Provider is being used in modern environments.

KSP advantages:

  • Supports current cryptography (CNG – Cryptography Next Generation)
  • Supports HSM (smart cards) protection.
  • Prevents private key export
  • Increased security compliance.
  • More efficient enterprise key management.

In the event that your organisation integrates secure hardware tokens or a cloud HSM, then your code signing certificate will probably be KSP-based.

Step 2: Add the Code Signing Certificate in Windows.

The certificate has to be installed in the Windows certificate store before Visual Studio can be used.

In case a certificate file (.cert or provided by HSM provider) was received:

  • Click on the certificate file twice.
  • Import the Launch Certificate.
  • Select Current User or Local Machine.
  • Click on the certificate store of the person.
  • Enter the certificate password where necessary.
  • Complete installation

To verify installation:

  • Navigate Press Windows + R – type certmgr.msc – press Enter
  • Select: Personal – Certificates.

There should be a confirmation of your code signing certificate.

In case a hardware token or HSM-based certificate is used, make sure:

  • Token drivers installed
  •  Middleware installed
  •  KSP provider is observable in the system.

Visual Studio will not recognise the certificate without the right drivers.

Step 3: Test Certificate KSP.

Not all certificates use KSP. Some still use legacy CSP.

To verify:

  • Open certificate
  • Go to the Details tab
  • Field: Check field: “Provider” or “Private key provider”

Should it indicate a Key Storage Provider (such as Microsoft Software Key storage provider or hardware provider), then you are prepared.

Otherwise, you might require a certificate that is supported by KSP by your CA.

Step 4: Visual Studio Film Project.

At this point, open your ClickOnce project.

Steps:

  • Launch Visual Studio
  • Open windows forms/WPF project.
  • Project menu – Properties.
  • Go to the Signing tab

Signing tab controls deployment Signing and manifest.

Step 5: Signing the ClickOnce Manifest get enabled.

Inside Signing tab:

  • Check: Sign CheckOnce manifests.
  • This enables certificate selection options.
  • Now click Select from Store.
  • Windows Visual Studio will open the certificate store window with available code signing certificates.
  • Choose the installed certificate of KSP in the list.

In case of nonappearance of certificate:

  • The certificate must be in the Personal store.
  • Ensure it has a private key
  • Make sure KSP drivers have been installed.

Select the certificate, confirm, and go back to project settings.

Step 6: Timestamp Server Configure.

Timestamping is a technique that permits signed manifests to be valid beyond the expiry of a certificate.

Under the Signing tab, switch on the timestamp server.

Common timestamp URLs include:

http://timestamp.digicert.com or http://timestamp.sectigo.com

Why timestamp matters:

  • Stores signature following certification expiry.
  • Long-term deployment requirement.
  • Improves trust warnings

ClickOnce apps can have a failure once the certificate expires without timestamping.

Step 7: Develop and deploy a ClickOnce Application.

After the selection of certificate, construct and release the project.

Steps:

  • Right-click project – Publish
  • Select the deploy location or publication.
  • Configure publish settings
  • Click Publish

During publishing:

  • ClickOnce manifests are created by Visual Studio.
  • Uses the KSP certificate that is selected.
  • Signs the application manifest
  • Signs deployment manifest

When KSP is hardware-backed (such as a USB token), you can be asked:

  • Token PIN
  • Smart card approval
  • HSM authentication

Type credentials to sign.

Step 8: Check Signed ClickOnce Manifest

  • Check the signature after publication.
  • Navigate to the publish folder.
  • Locate the .application file.
  • Right-Click – Properties – Digital Signatures tab.

You should see:

  • Signature present
  • Certificate details
  • Timestamp information

The signing configuration can be faulty in case the signature is missing.

You can also check with the help of PowerShell:

Get-AuthenticodeSignature "pathtofile"

This proves that the manifest is duly signed.

Step 9: Common Issues and Fixes

There are cases when Visual Studio does not sign with the KSP certificate.

The following are typical challenges and resolutions.

The Visual Studio certificate cannot be seen:

  • Test certificates are in the Personal store.
  • Restart Visual Studio
  • Reconnect the hardware token

Private key not accessible:

  • Check token drivers
  • Check the middleware software
  • Verify that the certificate indicates that you hold a private key.

Signing is unsuccessful when publishing:

  • Visual Studio as Administrator.
  • Ensure PIN/token is accessible
  • Check KSP compatibility

Timestamp failure:

  • Verify internet access
  • Another timestamp server.

Step 10: Security Best Practices.

Practices to follow when using the KSP-backed certificates include:

  • Keep store private keys on hardware or secure KSP.
  • Exporting of private keys should be avoided.
  • Limit access to certificates to authorised users.
  • Use a good PIN/ password to token.
  • Enable timestamping always

KSP certificates are more secure than regular file-based certificates. Their proper usage is beneficial in minimising threats posed by compromised keys.

After the proper settings are made, Visual Studio will automatically sign ClickOnce manifests each time a publish is made. This guarantees a successful installation of your application without any warnings and high cryptography trust.

Conclusion

Signing ClickOnce manifests with a KSP-backed certificate in Visual Studio not only ensures application authenticity and integrity but also strengthens your overall security posture.

By leveraging modern cryptography, hardware-backed key protection, and proper timestamping, you can deploy applications confidently without installation warnings or compliance concerns. Once configured correctly, Visual Studio handles the signing process seamlessly during every publish, giving you both automation and enterprise-grade protection.

If you’re planning to secure your applications with a trusted code signing certificate, contact us today to purchase your code signing certificate. Our experts will guide you through selection, installation, and secure deployment to ensure your applications and websites remain fully trusted and protected.

Code Signing Tutorials

Cheap Code Signing Certificates

Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

Starting at Just $215.99/Year

Related posts:

  1. What is KSP Library? How to Configure DigiCert ® KeyLocker KSP Library?
  2. How to Digitally Sign Your Visual Studio Software?
  3. How to Sign an Executable in Visual Studio 2022?
  4. How to Sign Visual Studio App Packages Using Azure Key Vault?
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.