.Net application publisher certificate checking

Have a server app (NetApp SnapDrive 7) which installs a .Net service.  The service fails to start and the MSI package rolls back.

It fails to start because it’s doing publisher cert checking and the servers don’t have internet access via proxy.

The workaround offered was to edit the app .config file and add <generatePublisherEvidence enabled=”false” />

Described in this article: http://msdn.microsoft.com/en-us/library/bb629393(v=vs.110).aspx

And: http://msdn.microsoft.com/en-us/library/system.security.permissions.publisheridentitypermission(v=vs.110).aspx

Found this cert check can be turned off per machine in machine.config files


The following powershell finds all the .net runtimes and turns off publisher cert checking. Make this a dependency of your NetApp SnapDrive 7 package.

# Enumerate .Net framework runtimes and disable publisher cert checking
function Modify-Config([string]$filename,[string]$backupDir="~"){
 Write-host "Loading XML $filename"
 $doc = new-object xml
 Write-host 'Locating parent node (/configuration/runtime)'
 $parent = $doc.SelectSingleNode('/configuration/runtime')
 if(!$parent){Write-Error 'Non-default xml. Stopping'}
  Write-host 'Locating child node (generatePublisherEvidence)'
  $child = $parent.generatePublisherEvidence
  if(!$child){Write-host 'Creating child node';  $child = $doc.CreateElement('generatePublisherEvidence') ;   $parent.AppendChild($child)  }
  Write-host 'Checking attribute "enabled"'
  if($child.enabled -ne $false){
    Write-host 'Creating node "enabled"'
    $att = $doc.CreateAttribute('enabled')
   Write-host 'Setting "enabled" to "false"'
   $child.enabled = "false"
   Write-host 'Saving file'
('Framework','Framework64') | %{"$env:windir\Microsoft.NET\$_"} | ?{test-path $_} | %{ls $_ -fi 'v*' | ?{$_.mode -like 'd*'}} | select -exp fullname | %{"$_\CONFIG\machine.config"} | ?{test-path $_} | %{Modify-Config $_}


Leave a Reply