How to sign ClickOnce artifacts when using Google Cloud KMS for code signing?

Question

How to sign ClickOnce artifacts when using Google Cloud KMS for code signing?

Darshana Dilhan 0

I've successfully done code signing using Google Cloud KMS and jsign for executable files, but I'm unable to sign ClickOnce manifest files.

Current Setup

Certificate: Code signing certificate from Sectigo (in .crt format)
Private Key: Stored in Google Cloud KMS (cannot be exported)
Signing Tool: jsign 7.1 (works perfectly for .exe files)

I’ve already tried signtool.exe, but it returns the error:

"This file format cannot be signed because it is not recognized" — for manifest files.

🔒 Note: I cannot use a .pfx file or sign via Visual Studio because Google Cloud KMS does not expose private keys.

Any guidance on tools, workflows, or workarounds would be greatly appreciated! Thanks.

3 answers

Your answer

Answer 1

I finally resolved this using Relic (a standalone signing tool by SAS) and Mage. The key is the specific order of operations:

Use mage -update on the .manifest.

Sign the .manifest with Relic (which supports GCP KMS natively).

Use mage -update -AppManifest on the .application file to link the newly signed manifest.

Finally, sign the .application and .exe files with Relic.

This 'Sign -> Update -> Sign' sequence prevents the HashValidation and IdentityMismatch errors common when switching to KMS-backed certificates.

Answer 2

Gade Harika (INFOSYS LIMITED) 2,590 Microsoft External Staff

Thank you for sharing the details.

your setup with Google Cloud KMS and jsign is impressive! You're absolutely right: signing ClickOnce manifest files is a bit more complicated due to the format and the limitations of tools like SignTool and Mage, which expect access to a .pfx file or a certificate in the local store.

The Core Issue

jsign doesn't support .application or .manifest files.

SignTool and Mage require a .pfx or a cert in the Windows cert store.

Google Cloud KMS keeps the private key non-exportable, so .pfx creation is off the table.

Possible Workarounds

Use Google Cloud KMS CNG Provider

Google offers a CNG provider that allows SignTool to access KMS-backed keys directly. You’ll need:

The latest Windows SDK (for SignTool)

The Google Cloud KMS CNG provider installed

Your certificate imported into the Windows cert store (without the private key)

Then you can use SignTool like this:

powershell

signtool sign /v /fd sha256 /csp "Google Cloud KMS Provider" /kc <KMS key path> <artifact>

However, this still won’t help with .manifest files unless Mage can also use the CNG provider—which it currently doesn’t.

Custom Signing Workflow

Since Mage requires a .pfx, consider creating a custom signing tool that:

Uses the Google Cloud KMS API to sign the manifest hash

Injects the signature manually into the manifest XML

This is advanced, but doable. You’d need to:

Extract the hash from the manifest

Sign it using the KMS asymmetric key via the API

Embed the signature back into the manifest

Hybrid CI/CD Pipeline

If you’re using a CI/CD system like Azure DevOps or GitHub Actions:

Use a self-hosted agent with access to the KMS key

Use a script like SignClickOnceApp.ps1 to sign the .exe with SignTool and the manifest with Mage

Modify the script to call Google Cloud KMS for signing instead of using a .pfx

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed. If the issue has been resolved, kindly mark the response as answered."

Gade Harika (INFOSYS LIMITED) 2,590 Reputation points Microsoft External Staff

2025-07-28T04:27:55.52+00:00

"Hope you're doing well. We're following up on the ticket. Please let us know whether the issue persists or has been resolved. If the issue has been resolved, kindly mark the response as answered."
Darshana Dilhan 0 Reputation points

2025-07-28T06:22:56.9366667+00:00
Thanks a lot for your response! I’ve started trying out the Custom Signing workaround you suggested. Here’s what I’m doing so far:

Creating the hash file of the .manifest file.

Generating the signature file.

Building a console app to embed the signature file and the certificate.crt content into the .manifest file.

I'm applying the same steps to the .application file as well. However, when trying to download the app, the publisher still shows as Unknown.

I'm currently working on figuring out the reason and will share the results here once I've completed the testing. Really appreciate your help!
Gade Harika (INFOSYS LIMITED) 2,590 Reputation points Microsoft External Staff

2025-07-28T11:36:40.1266667+00:00

Sounds good! Let me know once you’ve finished testing. If the issue has been resolved, kindly mark the response as answered."
Gade Harika (INFOSYS LIMITED) 2,590 Reputation points Microsoft External Staff

2025-08-05T05:38:20.1233333+00:00

"Hope you're doing well. We're following up on the ticket. Please let us know whether the issue persists or has been resolved. If the issue has been resolved, kindly mark the response as answered."
Gade Harika (INFOSYS LIMITED) 2,590 Reputation points Microsoft External Staff

2025-08-08T11:58:17.67+00:00

"Hope you're doing well. We're following up on the ticket. Please let us know whether the issue persists or has been resolved. If the issue has been resolved, kindly mark the response as answered."
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Varsha Dundigalla(INFOSYS LIMITED) 4,780 Reputation points Microsoft External Staff

2025-08-12T11:26:53.33+00:00

"Hope you're doing well. We're following up on the ticket. Please let us know whether the issue persists or has been resolved. If the issue has been resolved, kindly mark the response as answered."
Gade Harika (INFOSYS LIMITED) 2,590 Reputation points Microsoft External Staff

2025-08-15T12:35:26.54+00:00

We haven’t received any further updates or follow-up on this case, so we’ll proceed with closing it at this time. If you require additional assistance or have new information to share, please feel free to reach out with new thread. we’re happy to support you further needed.

Answer 3

david_son12 5

I've recently purchased a code signing cert for Google Cloud KMS. I followed this step for configuration and signing. Just check if it works for you, then: https://signmycode.com/resources/sectigo-code-signing-implementations-on-google-kms-key-management-service

Darshana Dilhan 0 Reputation points

2025-07-28T05:16:42.4233333+00:00
Hi, thanks for your reply. I’ve tried your solution.

Just like before, signing .manifest files ends with a "file format cannot be recognized" error. However, the same command works perfectly for .exe files.

I've attached two images below:

The first shows the result for signing the .manifest file

The second shows the result for signing the .exe file

Also could you please share some details about the application stack you used for signing? For example:

Application type (e.g., WinForms, WPF, Console, etc.)

Deployment method (e.g., MSI, ClickOnce)

Target platform (x86 or x64)

Any other relevant build or publish settings

This will help me understand the context better and compare with my setup.

Share via

How to sign ClickOnce artifacts when using Google Cloud KMS for code signing?

3 answers

Your answer