VSTO Add-in may fail to load if signed by some SHA256 certificates [Update : Fixed with latest VSTO runtime]

Symptom

VSTO add-in may fail to load if all of the following conditions are true:-

  1. The SHA256 certificate used to sign the add-in is based on SHA256 algorithm (https://www.w3.org/2000/09/xmldsig#rsa-sha256)
  2. “Require Add-ins to be signed by Trusted publisher” setting is checked in Office Trust Center.
  3. The deployment manifest is not accessible (For e.g. you installed the VSTO add-in from a network location or USB drive that is no longer accessible.)

If you have VSTO_SUPPRESSDISPLAYALERTS environment variable set to 0, you will receive an error "SignatureDescription could not be created for the signature algorithm supplied."

Cause

VSTO Click-Once infrastructure reads the deployment manifest to know the signature algorithm (in this case SHA256 algorithm “https://www.w3.org/2000/09/xmldsig#rsa-sha256).In a case where it cannot find the deployment manifest, it goes with default values which don’t have support for SHA256 algorithm, and thus the error.

Work Around

Any of the following workarounds will avoid the issue:

1. Use SHA256 certificates to sign manifest which uses https://www.w3.org/2000/09/xmldsig#rsa-sha1 algorithm
2. Make sure the install location is always accessible
3. Uncheck “Require Add-ins to be signed by Trusted publisher”

Resolution

This issue is resolved in the updated VSTO Runtime which can be installed from the link https:\\aka.ms\vstoruntime