Issue: Installation of Bootstrapper Package (setup package or ClickOnce package along with the pre-requisite(s)) created using the Visual 2010 or Visual Studio 2012 RTM may fail with the error: ‘Setup has detected that the file X has either changed since it was initially published or may be corrupt.’.
In my case, the issue started appearing on a machine where .NET Framework 4.5 was installed and Setup project was created using Visual Studio 2010.
When you publish any prerequisite bootstrapper the first thing we try to use is the bootstrapper packages certificate. If the package is not signed then we fall back on a hash of the bootstrapper to verify the integrity of the file being downloaded (This is why there is no issue when the bootstrapper package is signed).
In VS 2012 RTM we switched the hash calculation mechanism to SHA256 as its a more secure standard. Unfortunately we only did this during the msbuild package generation step. At runtime when the bootstrapper package was downloaded it would still try to create a SHA1 hash of the package it downloaded and compare it to the SHA256 hash generated during build which would never work.
At runtime when the bootstrapper package was downloaded it will still try to create a SHA1 hash of the package and compare it to the SHA256 hash generated during build which gave the error message “Setup has detected that the publisher of file cannot be verified”.
As described earlier, it wasn’t an issue with the VS 2010. In fact it is with .NET Framework 4.5/ Visual Studio 2012. This issue has been fixed with VS 2012 Update 2, where the runtime component (setup.bin) is updated to correctly calculate SHA1/SHA256 hashes of the file being downloaded for comparison to the hash generated during build. So if you are using the Visual Studio 2012 RTM then please upgrade it to latest update.
So why do we get the error with Visual Studio 2010?
Setup project created using the visual studio 2010 on a machine that have .NET Framework 4.5 uses MSBuild task from .NET Framework 4.5 , which in turn creates SHA256 hash for the bootstrapper package.
The runtime bootstrapper component in VS 2010 isn’t able to calculate this SHA256 hash correctly on the downloaded bootstrapper package.
The workaround to fix this issue is to replace the VS2010 Bootstrapper runtime component with the one from VS2012 Update 2 which is capable of handling the SHA256 hash -
To get the VS 2012 Update 2 bootstrapper engine copy the file from the location -
(v8.1A - VS2012) and replace the VS 2010 bootstrapper engine at -
(v7.0A - VS2010. You may want to keep a backup copy of this file just in case).
Content by: Keshav Deo Jain