A first hand look from the .NET engineering teams
We wanted to let you know that we’ll be changing the signature verification process for ClickOnce applications and WPF XAML Browser Applications (XBAPs) in an upcoming update. This change will help users recognize when they’re running untrusted applications from the Internet Zone, but may require you to make changes to your applications. Currently, applications configured to run “online-only” will not display notifications requesting that the user make a decision whether to run the application or not. After the update, users will see an Application Run dialog commonly encountered when accessing applications over the Internet using Internet Explorer.
In some situations you may want to retain the current application launch behavior. There are two ways to achieve this:
1. Add the application publisher to the Trusted Publisher list. (http://msdn.microsoft.com/en-us/library/ms172241.aspx)
2. Add the application URL to the Trusted Sites list (http://windows.microsoft.com/en-US/windows-vista/Security-zones-adding-or-removing-websites)
Friends its really awesome esp. for USA,UK and Germany's friends
When is this change going into effect? Can developers get the update ahead of time so we can recreate the scenario, adjust our code, and ensure we fixed the problem?
Is this going to apply even if the application is signed with a trusted certificate from a CA like Verisign? Or does it only apply when people are using test certificates from Visual Studio?
When do you expect this to be released? Is this going to be released via Windows Update?
You do realize you could screw up thousands of people with this update?
(MVP, Client App Dev, but really for my work in ClickOnce support)
@Robin: The update will release via WU as a part of bulletin MS11-044. If the client machine has a Trusted CA then the 'new' prompt should not be displayed.
@Dennis: This is the same dialog shown in this thread - social.msdn.microsoft.com/.../16a81086-6acf-444d-9bcc-963af2982e06. The only scenario that will be broken is an application that expects to install and run silently.
We work hard to avoid taking updates that will cause developers to modify existing code to continue running. This is a case where we debated long about potentially causing some number of developers extra work in order to add a layer of protection for the millions of everyday folks browsing the web.