Securing Add-ins by Using ClickOnce
ClickOnce security is an optional feature in Visual Studio Tools for Applications. If you want to use ClickOnce to add security checks to the add-in loading process, you must implement interfaces defined by Visual Studio Tools for Applications in your host application.
ClickOnce uses certificates as evidence for trust decisions. The trust decisions can be made by administrators in enterprise-level security policy, or by end users who install add-ins by using the ClickOnce trust prompt. Add-in developers must sign the application and deployment manifests for their add-ins with a certificate. The certificate status and ClickOnce trust prompt key determine whether the ClickOnce trust prompt appears to end users.
Implementing the ClickOnce Security Interface
There is some ClickOnce infrastructure in the Visual Studio Tools for Applications runtime, but you must also implement the IClickOnceAddInTrustManager interface in your host application. This interface has two methods:
You can use VerifyAddInTrust to evaluate whether the add-in should run based on the results of the certificate analysis.
You can use VerifyAddInPermissions to read the permissions that the solution requires to run from the manifest. You can choose to modify the permissions before you install the add-in.
For more information about how the ClickOnce infrastructure works for deployment, see Deploying Add-ins by Using ClickOnce.
Authenticode Certificates
If the add-in developer signs the application and deployment manifests with a known and trusted certificate that identifies the publisher, the solution is automatically installed without prompting the end user to make a trust decision. As part of the trust decision process, the Trusted Publisher and Untrusted Publisher lists are checked. If the certificate is in the Untrusted Publisher list, the security checks are stopped and the add-in is not installed.
If a developer signs the solution with a temporary certificate, an administrator can re-sign the customization with a known and trusted certificate by using the Manifest Generation and Editing Tool (mage.exe), which is part of the Windows SDK. For more information, see How to: Sign Application and Deployment Manifests with Mage.exe. For more information about how to obtain a certificate for signing, see ClickOnce Deployment and Authenticode.
Trust Prompts
If the manifests are signed with a certificate that does not chain to a certificate authority, you can create a graphical user interface in the host application to prompt the end user to make a trust decision whether to install a Visual Studio Tools for Applications add-in. Modify the ClickOnce Trust Prompt level to enable, restrict, or disable prompting for a trust decision.
Administrators can disable the ClickOnce trust prompt or require that the prompt occur only for solutions that are signed with an Authenticode certificate. You can change these settings separately for the MyComputer, LocalIntranet, Internet, TrustedSites, and UntrustedSites zones. For more information, see How to: Configure the ClickOnce Trust Prompt.
See Also
Tasks
How to: Configure the ClickOnce Trust Prompt
Concepts
Discovering and Loading Add-Ins
Securing and Deploying Add-Ins
How to: Sign Application and Deployment Manifests with Mage.exe
Deploying Add-ins by Using ClickOnce
Walkthrough: Integrating ClickOnce for a Managed Object Model