Inclusion List

This list can be found in the registry
Every time a user makes a trust decision due to a prompt that decision is recorded in the registry

HKCU\Software\Microsoft\VSTO\Security\Inclusion\ 

For each solution that is trusted, a key with a GUID identifier is added
An inclusion list entry includes the Public Key for the solution and the URL to the deployment manifest for the solution.
The Public Key corresponds to the RSAKeyValue element in the VSTO deployment manifest file.
This list can be edited programmatically using the following namespace
Microsoft.VisualStudio.Tools.Office.Runtime.SecurityAddInEntrySecurity class in the Microsoft.VisualStudio.Tools.Office.Runtime.v90 assembly
more details - bb398239.aspx


When a VSTO solution is published and installed, if the solutions certificate is not explicitly trusted a trust prompt that asks the user is they want to install the solution will occur.



Visual Studio 2008 also automatically creates inclusion list entries for locally-built VSTO customisations on your development computer.
Deleting this entries means the solution will not be trusted and trust prompt will occur in the solution is still registered when the customisated application is next opened


When a VSTO solution is built, a certificate must be used to sign the solution.
If a valid certificate is not provided then a temporary "self-cert" certificate is created, added to the project and then copied into the users current user's personal store.


Inclusion lists enable users to grant trust to VSTO solutions that are signed with a certificate that identifies the publisher
Inclusion lists are user-specific and can be used for both application and document level solutions.


When a user starts a VSTO solution that has not been granted trust a trust prompt is displayed
SS


A valid inclusion list has two parts
1) a path to the development manifest
2) a public key used to sign the solution


When a VSTO solution runs the public key from the inclusion list is compared with the signed key in the development manifest
If you want to add your solution to the inclusion list without prompting the user, you can add the solution programmatically.


InclusionListCustomActions - custom actions that call InclusionAPIs to pretrust your solution.


This inclusion list is a list of registry entries


using Microsoft.VisualStudio.Tools.Office.Runtime.Security



Untrusted Publisher List ?
Trusted Publisher List ?
Internet Explorer Restricted Zone ?




These enable users to grant trust to office solutons that are signed with a digital signature
They are user specific and can be used with both document level and application level solutions
The registry is used to contain an explicit list of solutions that are trusted


If you want to add a solution to the inclusion list without prompting the user you can do this programmatically


A valid inclusion list has two parts:
1) Path to deployment manifest
2) Public key used to sign the manifest


When the office solution runs, Office compares the public key from the inclusion list with the signed key in the deployment manifest




© 2020 Better Solutions Limited. All Rights Reserved. © 2020 Better Solutions Limited TopPrevNext