Rick Strahl's Web Log

Azure Trusted Signing Revisited with Dotnet Sign

Rick Strahl — Mon, 02 Mar 2026 20:10:23 GMT

I wrote about how to get Azure Trusted Signing to work for my application signing tasks a while back and mentioned how frustrating that process was both on Azure as well as on the client for the actual signing process. Well, since then I'm happy to say that some additional tooling has come out from Microsoft that makes this process quite a bit easier and also the signing process considerably faster than my previous workflow.

This post is specifically about the client side of signing - the original post covers both the Azure setup for your Azure Trusted Signing account and that hasn't changed much as well as the old SignTool based workflow which was a pain in the ass. In this post I'll discuss the new-ish dotnet sign tooling that now works officially with Azure Trusted Signing and is a lot simpler to set up and faster to run.

The documentation for the local client signing part of this process is still nearly non-existent or, at minimum, non-discoverable, and LLMs absolutely give the wrong advice because of it. The change of terminology and command names in the tooling isn't helping either, along with the outdated documentation. Why in the heck would you name something as obscure and non-relevant as artifact-signing instead of the obvious trusted-signing that already existed? But I disgress 😄

So, here's the skinny on what works with a heck of a lot less effort than what I described in the previous post.

Setting up Trusted Signing

You still need to set up your Azure Trusted Signing, so that part hasn't changed, although by now hopefully the process to set this up might be a little simpler than what I described in my previous post:

Setting up Microsoft Azure Trusted Signing

Once you have your Trusted Signing account set up and ready to go, what has changed for the better is the process of how you sign your binaries on the local machine. It's quite a bit easier using dotnet sign as that tool combines everything you need through the single set of tools - except for the Azure CLI which is required for authentication.

Local Signing: Enter dotnet sign

dotnet sign is a dotnet tool that you install via the .NET SDK. You need to have the .NET SDK installed to install dotnet sign, as well as the Azure CLI so you can authenticate your Azure account.

Prerequisites

Install .NET SDK

The .NET SDK is required in order to install the dotnet tool infrastructure required to install and run the dotnet sign tool.

You can install the SDK from here if you don't already have it on your dev machine

.NET 10 SDK

dotnet tool and the .NET SDK

dotnet tool deployed applications use the locally installed .NET SDK to take advantage of the cross platform features of .NET without having to install any additional framework dependencies or having to create separate installers for each platform. A Dotnet tool will run on any of .NET's supported platforms assuming you use cross-platform compatible features only. It does this by automatically creating a platform specific executable for the tool application that dotnet tool install is run on. For this reason it's a convenient way to deploy tools across platforms and if you're in the .NET development eco-system in any way it's likely the .NET SDK is already installed.

Install Azure CLI

The Azure CLI is required so that you can authenticate using Azure's oAuth Authentication flow.

You can install the Azure CLI in a number of ways but the easiest is probably via WinGet.

Install Azure CLI

Here's the WinGet command:

winget install --exact --id Microsoft.AzureCLI

Logging into Azure CLI

Once the Azure CLI is installed you can then log in and set the subscription that your Certificate runs under:

az config set core.enable_broker_on_windows=false
az login
az account set --subscription "Pay-As-You-Go"

The prompt to login is interactive - follow the yellow prompts. I've had quite a few issues with the default Windows oAuth authentication using a Web Browser, and the first configuration line:

az config set core.enable_broker_on_windows=false

provides more reliable authentication directly in the CLI. You can try without it first, and if that doesn't work use that line to use the alternate sign in flow.

For me this was the only way I get it to work correctly. Your mileage may vary and you may not need it. Another thing to look out for is to make sure you choose the right subscription as subscription ids are hard to decipher in some cases if you have a few of them.

Install Dotnet Sign

Dotnet Sign is a dotnet tool installed executable, and in order to install it you need use the dotnet tool command that's part of the .NET SDK.

Make sure the .NET SDK is installed first, and then to install dotnet sign:

dotnet tool install -g --prerelease sign

The tool is currently in pre-release so the --prerelease switch is not optional - otherwise the package won't be found. You can also install locally into your project by omitting the -g switch which creates a fixed local copy instead of a global instance installed in the shared tools location.

Using Sign Code Artifact Signing

With all this in place you can now use the Sign command from the command line to sign your binaries. Specifically you'll use:

sign code artifact-signing --help

Note that although there's a trusted-signing option, it's now deprecated and you should use artifact-signing instead.

A full signing command for a binary file looks like this:

sign code artifact-signing  `
   --verbosity warning `
   --timestamp-url http://timestamp.digicert.com `
   --artifact-signing-endpoint https://eus.codesigning.azure.net/ `
   --artifact-signing-account MySigningAccount `
   --artifact-signing-certificate-profile MySignongCertificateProfile `  .\Distribution\MarkdownMonster.exe

You can specify multiple files and they will be batch sent together. Typically you'll want to run with Verbosity of warning, which doesn't show any output unless you have a problem. The default (Trace) and Information are very verbose and too much noise in any sort of build output unless you explicitly are looking for that.

Here's what that looks like with Information verbosity, when you run it in the Terminal:

Signing is considerably faster than what I saw with my old SignTool based workflow, with signing times under two seconds for most files (this is one is quite large). Based on this speed, it looks like sign uses locally created hashes rather than uploading the entire file to the server for processing.

Unfortunately, the new workflow with Sign doesn't support a metadata file like SignTool supports, so you have to specify all the Azure parameters explicitly. I'll fix that with the Powershell script provided below to keep that useful functionality intact.

Putting it all together into a Signing Script

The basic syntax for signing via Sign is now simple enough. However, I need signing in a lot of different projects, so I need to reuse the functionality across these various projects and provide the script as part of the local build infrastructure.

The reasons to create a script for all this are:

Using metadata configuration files (like SignTool used to use)
Handling login optionally
Handling parameter errors and signing errors
Documentation for prerequisites and configuration in the script
Self-contained for easy re-use - just copy two files

Here's the Powershell script:

# File name: Signfile.ps1
# Prerequisites:  
# dotnet tool install -g --prerelease sign
# Azure CLI required for logging in optionally
# Support metadata: SignfileMetaData.json

param(
    [string]$file = "",
    [string]$file1 = "",
    [string]$file2 = "",
    [string]$file3 = "",
    [string]$file4 = "",
    [string]$file5 = "",
    [string]$file6 = "",
    [string]$file7 = "",
    [string]$file8 = "",
    [boolean]$login = $false
)
if (-not $file) {
    Write-Host "Usage: SignFile.ps1 -file <path to file to sign>"
    exit 1
}

if ($login) {
    az config set core.enable_broker_on_windows=false
    az login
    az account set --subscription "Pay-As-You-Go"
}

# SignfileMetadata.json is not checked in. Format:
# {
#   "Endpoint": "https://eus.codesigning.azure.net/",
#   "CodeSigningAccountName": "MySigningAccount",
#   "CertificateProfileName": "MySigningCertificateProfile"
# }

$metadata = Get-Content -Path "SignfileMetadata.json" -Raw | ConvertFrom-Json
$tsEndpoint = $metadata.Endpoint
$tsAccount = $metadata.CodeSigningAccountName
$tsCertProfile = $metadata.CertificateProfileName
$timeServer = "http://timestamp.digicert.com"

$signArgs = @(
    "--verbosity", "warning",
    "--timestamp-url", $timeServer,
    "--artifact-signing-endpoint", $tsEndpoint,
    "--artifact-signing-account", $tsAccount,
    "--artifact-signing-certificate-profile", $tsCertProfile
)

# Add file arguments at the end
foreach ($f in @($file, $file1, $file2, $file3, $file4, $file5, $file6, $file7, $file8)) {
    if (![string]::IsNullOrWhiteSpace($f)) {
        $signArgs += $f
    }
}

# Run signtool and capture the exit code
sign code artifact-signing $signArgs
$exitCode = $LASTEXITCODE

if ($exitCode -eq 0) {
    Write-Host "File(s) signed successfully." -ForegroundColor Green
    exit 0
} else {
    Write-Host "Signing failed with exit code: $exitCode" -ForegroundColor Red
    exit $exitCode
}

This script uses a separate, external configuration file for the Azure values required for code signing to work. I tend to check in the signing script into Git, while the metadata is locally created and not checked in which separates the two. Alternately you can use some other approach to keep the private data out of your repo - environment variables would also do the trick, but I prefer this explicit approach because it makes it easy to copy the data and script across multiple projects while still keeping the private data out of Git.

Here's what the metadata file looks like:

// SignfileMetadata.json
{
  "Endpoint": "https://eus.codesigning.azure.net/",
  "CodeSigningAccountName": "MySigningAccount",
  "CertificateProfileName": "MyCodeSignCertificateProfile"
}

So now I can drop SignFile.ps and SignfileMetadata.json file into a folder and use it for signing.

In my build script I then have something like this to invoke the signing operation after my binaries have been built:

if ($nosign -eq $false) {    
    "Signing binaries..."
    .\signfile-dotnetsign.ps1 -file ".\Distribution\MarkdownMonster.exe" `
                    -file1 ".\Distribution\MarkdownMonsterArm64.exe" `
                    -file2 ".\Distribution\MarkdownMonster.dll" `
                    -file3 ".\Distribution\mm.exe" `
                    -file4 ".\Distribution\mmcli.exe" `
                    -login $false                   

    if ($LASTEXITCODE -ne 0) {
        Write-Host "Signing failed, exiting build script."
        exit $LASTEXITCODE
    }
}

and then again at the very end to sign the final setup distributable: l

.\signfile-dotnetsign.ps1 `
	-file ".\Builds\CurrentRelease\MarkdownMonsterSetup.exe" `
    -login $false

The meta data file can be created in the output folder and should not be checked into Git repo. Alternately you could also change the code to use environment variables if that suits your workflow better.

Dotnet Sign is Much Better

I've been using this new workflow for a couple of weeks now, and it has made signing a lot faster than Signtool. It appears that binaries are locally hashed and only the hash data is sent to the server result in much faster processing times. Average processing with Signtool was around well over 5 seconds per file, it's now down under 1 second per file - a huge improvement in packaging performance.

Microsoft's own documentation now also uses the Digicert timestamp server instead of the Microsoft one that has been failing for me on a regular basis. Using the DigitCert timestamp server I haven't had any signing failures in the last two weeks.

Summary

So all of this is good news, as it's taken away some of the early growing pains of using Azure Trusted Signing and makes it much more usable and predictable to run on the client without having to jump through all sorts of hoops.

It still isn't as simple as it could be, especially if developers are not already using the .NET ecosystem, but if you're doing code signing for Authenticode, you're likely a Windows developer.

The last hurdle that I'd like to get going now is NuGet signing. But I'll leave that for another time... Onwards.

Resources

this post created and published with the Markdown Monster Editor

Posted in Windows Security WPF

Don't use the Microsoft Timestamp Server for Signing

Rick Strahl — Thu, 26 Feb 2026 22:41:03 GMT

If you're using any of the Microsoft Signing technologies like Trusted Signing, one thing you might run into is frequent failures of the default, suggested timestamp server that Microsoft uses in their examples:

$timeServer = "http://timestamp.acs.microsoft.com"

For signing code with trusted signing like this:

$timeServer = "http://timestamp.acs.microsoft.com"

$args = @(
    "sign", "/v", "/debug", "/fd", "SHA256",
    "/tr", "$timeServer",
    "/td", "SHA256",
    "/dlib", "$env:LOCALAPPDATA\Microsoft\MicrosoftTrustedSigningClientTools\Azure.CodeSigning.Dlib.dll",
    "/dmdf", ".\SignfileMetadata.json"
)
# Add non-empty file arguments
foreach ($f in @($file, $file1, $file2, $file3, $file4, $file5, $file6, $file7)) {
    if (![string]::IsNullOrWhiteSpace($f)) {
        $args += $f
    }
}

# Run signtool and capture the exit code
.\signtool.exe $args

This works about 80% of the time for me in my multiple file signing workflow - yeah that's a pretty high failure rate! I end up signing 8 files per distribution (several app binaries and the final setup Exe) and quite frequently one of those signing operations (mostly the last one of the larger set up exe) fails with:

Figure 1 - Signing fails due to the Microsoft Timestamp Server

I see this happening in two separate but similar workflows both of which are signing a number of files in fairly rapid succession. I'm using Signtool to batch the files to sign, but it appears Signtool behind the scenes is still sending them one at a time - and that might be where the problem is - some sort of rate limiting kicking depending on how quick these files sign.

Regardless, whether it's an infra failure or a rate limiting issue, it's crazy to think that something as simple as a timestamp server could fail in a common scenario like this, but leave it to Microsoft to screw that up. 💩

Use a different TimeStamp Server

The solution to this is simple: Don't use the Microsoft server and instead switch to a different signing compatible Timestamp Server that is actually reliable.

I've been using DigiCert's server with this Url:

$timeServer = "http://timestamp.digicert.com"

and that has solved the problem for me at the moment. No more signing errors.

Resources

Fighting through Setting up Microsoft Trusted Signing
Alternate Timestamp Servers
- DigiCert
  - http://timestamp.digicert.com
  - http://timestamp.digicert.com/ts (alt endpoint)
- Sectigo (Comodo)
  - http://timestamp.sectigo.com
  - http://timestamp.comodoca.com/rfc3161
- GlobalSign
  - http://timestamp.globalsign.com/?signature=sha2
- SSL.com
  - http://ts.ssl.com
  - http://ts.ssl.com/rfc3161
- Entrust
  - http://timestamp.entrust.net/TSS/RFC3161sha2TS
- Certum (Asseco)
  - http://time.certum.pl

this post created and published with the Markdown Monster Editor

Posted in Security Windows

Reliably Refreshing the WebView2 Control

Rick Strahl — Thu, 05 Feb 2026 07:53:22 GMT

It seems like such a simple thing: Reloading Web Browser content when a page is already active. Just reload, right! But... it's never quite so simple. There is soft reload and hard reload, and it turns out the WebView2 control does not expose the underlying browser APIs in the same way you might be used to by your browser or DOM APIs. While there's Reload() functionality, there's no direct support for a hard reload that also reloads related resources like images, overriding local and server cache settings.

Specifically the WebView2 control has a CoreWebView2.Reload() method, but it lacks a noCache parameter to completely reload content of the page and all of its dependencies.

Why Hard Refreshes matter

Refreshing content is a common thing that you do in any Web application, but in local desktop applications it's even more important, as many applications render content to local files, and then load those files into the WebView for display as previews or or other Html type views.

For example in Markdown Monster and Documentation Monster I render preview Html to file and then display the Html output in the browser.

But in these specific scenarios typical 'page' updates update the in memory DOM with changes for much faster updates, rather than full reloads from disk.

However, there are a few scenarios that require a full reload of the page and all of its related resources. Specifically there are several operations that drop or paste images into the document and if an image has been changed I want to see the change immediately in the preview. By default Reload() will reload the page, but won't refresh the images so while I can force the refresh of the page content, if the image is already displayed, the changed image will not show up.

Hrmph! 😠

WebView2 Reload()

So the WebView has a CoreWebView2.Reload() method:

var url = WebView.Source?.ToString();
WebView.CoreWebView2.Reload()

If you call Reload() like this you'll find that even the page content sometimes still doesn't refresh - even if content has been changed. This can happen due to target site's cache policy or the browser cache policy with local files or if local files are not properly updating their LastWrite timestamps. Mostly a reload works for content though...

Dependent Resource Refreshing

But much worse is that even if the content page itself refreshes with Reload(), dependent resources like images, scripts, style sheets etc. usually do not.

This can be really annoying if you're using the browser as a previewer. For example, in Markdown editing you might paste an image into the editor and it displays fine. Then you make a change to the underlying image, refresh the browser and... the image does not update which is an annoying fail!

Figure 1 - Markdown Monster images don't update if using only CioreWebView2.Reload().

This happens even if the content page refreshes. Incidentally the same thing happens in a desktop browser, unless you hard refresh. And even then sometimes images do not refresh. But again, Reload() is not a hard refresh so by default support resources and in some cases even the main content do not refresh.

Hard Refresh in the WebView

So how do we do a real hard refresh in the WebView2 control?

Let's take a look...

Interactive Hard Reload with Keyboard Shortcuts

T he WebView control is essentially a full Chromium instance so it has most of Chromium's native features. This means you can press ctrl-shift-R or Ctrl-F5 to force a hard refresh in the browser - assuming you haven't overridden the key handling in some way in your host application.

It's an easy work around as long as your users are tech savy and do the key gymnastics or you've provided good documentation or visual clues to make the keyboard shortcuts accessible. But shortcuts are always difficult to bring attention to... it's just not very obvious. Obviously! 😂

Programmatic Hard Reload

Which brings us to programmatic solutions to Hard Refreshes that you can attach to commands or event handlers. Programmatic solutions are more explicit and... more obvious.

Good - Replace the Url

For a simple way to force at least the content page to refresh reliably, you can replace the Url and force the page to reload explicitly:

public void Refresh(bool noCache)
{
   if (WebBrowser == null || string.IsNullOrEmpty(WebBrowser.Source?.ToString()))
       return;  
       
   if (!noCache)       
   {
	WebBrowser.CoreWebView2.Reload();
	return;
   }

   var orig = WebBrowser.Source;
   WebBrowser.Source = new Uri("about:blank");
   WebBrowser.Dispatcher.Invoke( ()=> WebBrowser.Source = orig);
}

The idea here is that you force the Url to be reset in the control. The Url has to be set to a different value first and then reset to properly log a change so it gets set to about:blank then back to the original Url.

Note that it appears resetting the WebBrowser.Source is cycle dependent which is why I use a Dispatcher in the code above. In my use of this approach I started with two one-after-the-other WebBrowser.Source assignments and that worked most of the time but failed occasionally and unreliably. Using the Dispatcher improved the reliability significantly.

In most situations I've found that this also reloads dependent resources, but I've had reports from a number of users that on occasion they see images not refreshing. Fairly rare though so this seems to corroborate my timing suspicion of the Source assignment.

There are more reliable Reload() solutions, but the reason you might want to use this solution is to avoid blowing out your entire profile cache entirely on a reload as the two following approaches I show next do.

Better - Simple Cache Revocation

The next approach uses the WebView's built in Profile Cache APIs to clear the browser cache to force reloading all content. The WebView.CoreWebView2.Profile.ClearBrowsingDataAsync() method can be used to clear all or select cache items from the active profile.

The code is simple enough:

public void Refresh(bool noCache)
{
    if (WebBrowser == null || string.IsNullOrEmpty(WebBrowser.Source?.ToString())) return;

    if (noCache)
    {
        WebBrowser.Dispatcher.InvokeAsync(async () =>
        {
        	// Hard Repload by clearing the Cache
            await WebBrowser.CoreWebView2.Profile.ClearBrowsingDataAsync(CoreWebView2BrowsingDataKinds.DiskCache);
            WebBrowser.CoreWebView2.Reload();
        }).Task.FireAndForget();
        return;
    }

    WebBrowser.CoreWebView2.Reload();
}

The ClearBrowsingDataAsync() method can be called with no parameters which busts up all cached items, or you can specify which items to remove. For plain page display and related resources you typically only need the Disk Cache to be busted since related resources like images, scripts and style sheets are cached to disk in the WebView's Profile folder.

Note that the ClearBrowsingDataAsync() method is async, and you have to await the method for the cache clearing to complete before you can Reload() the page in order for the hard refresh to work.

I'm using WPF here to go from sync to async using the Dispatcher, but you could also make the entire method async and skip the Dispatcher to make this a little simpler. I'm doing that here because I have an older non-async interface I'm implementing and there's no need to explicitly make the external method async and await the Reload(), since navigation and reloading are inherently not directly awaitable in the WebView (you have to explicitly use events for that).

This method is the safest and most reliable way to ensure the browser and dependent resources are refreshed but there may still be some resources that are not refreshed.

Best - Hard Cache Revoke like Browser Hard Refresh

This brings up to the last approach which is essentially what the WebBrowser users internally and is the closest thing to pressing ctrl-shift-R to force a hard reset.

This solution uses the WebView DevTools API to force a refresh:

public void Refresh(bool noCache)
{
    if (WebBrowser == null || string.IsNullOrEmpty(WebBrowser.Source?.ToString())) return;

    if (noCache)
    {
        WebBrowser.Dispatcher.InvokeAsync(async () =>
        {
        	// Hard Reload the Page
        	if(WebBrowser?.CoreWebView2 != null) 
        	{            
	            await WebBrowser.CoreWebView2.CallDevToolsProtocolMethodAsync("Network.clearBrowserCache", "{}");
	            WebBrowser.CoreWebView2.Reload();
        	}
        }).Task.FireAndForget();
        return;
    }

    WebBrowser.CoreWebView2.Reload();   // not working reliably if file initial navigate failed
}

The key here is the call to the DevTools protocols:

await WebBrowser.CoreWebView2.CallDevToolsProtocolMethodAsync("Network.clearBrowserCache", "{}");

This CallDevToolsProtocolMethodAsync() API exposes a shit-ton of internal browser functionality via a command interface and Network.clearBrowserCache is one of the simplest ones.

But, there are some limitations to this API: it requires either a visual host running on an STA thread (which is every desktop UI app), or has to be used with a headless host explicitly in non-UI application contexts which is a lot more complicated. If you're in the latter category stick with the ClearBrowsingDataAsync() API instead as that has fewer limitations.

Also Recommended: ClearCache()

Sometimes you may not need to or cannot do a full refresh, but you still want to refresh resources when they are re-rendered. For example, if you use JavaScript to update the DOM with Html you might re-render an image Url where the file has changed in the same way as with a full refresh. If you clear the cache and the DOM re-renders the replaced block of Html it also refreshes the image.

For this reason I also recommend adding an explicit and more obvious ClearCache wrapper if for nothing else than making it more easily visible or because the WebBrowser might be hidden behind an API interface.

public Task ClearCache()
{
	if(WebBrowser?.CoreWebView2 != null) 
	   {            
		return WebBrowser.CoreWebView2.CallDevToolsProtocolMethodAsync("Network.clearBrowserCache", "{}");
	}
	return Task.CompletedTask;
}

It's a heck of a lot easier to remember to call this ClearCache() method rather than the DevTools API call.

If you're using the Westwind.WebView library and WebViewHandler which is WebView Behavior class that adds many common features and operations to your WebView, you'll find Reload() and ClearCache() methods on that class.

The same approaches can also be used for Navigation instead of just for Reload(). You can run into the same cache issues with plain navigation, as resources like images may have been previously rendered in other pages, and if you then load another page with the same image that image may still be coming from cache.

So in my apps I typically also provide a Navigate method like this (use the Hard Refresh option of your choice):

public void Navigate(string url, bool noCache)
{
    if (noCache)
    {                
        WebBrowser.Source = new Uri("about:blank");  // force a refresh
        WebBrowser.Dispatcher.InvokeAsync(async () =>
        {
            await WebBrowser.CoreWebView2.CallDevToolsProtocolMethodAsync("Network.clearBrowserCache", "{}");
            WebBrowser.Source = new Uri(url);
        }).Task.FireAndForget();
    }            
    WebBrowser.Source = new Uri(url);
}

You can find these methods also as part of the Westwind.WebView library and the WebViewHandler class which includes Navigate() and Reload() methods with various overloads.

Summary

Browser page reloads are common, but unfortunately the WebView2 doesn't make this functionality very straightforward if you need to do a hard reload that refreshes the page and all of its dependencies.

Luckily there are relatively simple workarounds you can use:

Interact keyboard shortcuts
Replacing the URL explicitly
(use if you don't want to blow out your entire cache on Reload())
Using CoreWebView2.ClearBrowsingDataAsync()
(for the most compatible cache busting approach)
Using CoreWebView2.CallDevToolsProtocolMethodAsync("Network.clearBrowserCache")
(for the most reliable hard cache refresh - but with some environment caveats)

All are simple, but not so obvious solutions and you can choose for your specific scenario.

In my Preview Rendering apps I'm use the Dev Tools approach since I know the Desktop applications have access to the DevTools and because I want to make sure images get refreshed. Finally in my apps all resources are local, and relatively small so blowing the cache is not a problem.

As always I'm writing this down for future reference, since I'm sure I'll come looking for this information again. Maybe you will too...

Resources

this post created and published with the Markdown Monster Editor

Posted in WebView Windows WPF

What the heck is a `\\.\nul` path and why is it breaking my Directory Files Lookup?

Rick Strahl — Mon, 08 Dec 2025 23:15:18 GMT

I've been trying to track down an odd bug in my logs related to Null device failures in directory lookups which have been causing application level exceptions. In some odd scenarios these null mappings are showing up for files. In this post I take a look at what they are and how to work around them for this very edge case scenario.

Using the new WebView2 AllowHostInputProcessing Keyboard Mapping Feature

Rick Strahl — Thu, 21 Aug 2025 03:17:34 GMT

If you've used the WebVIew2 control for a UI interactive Hybrid active you've probably run into some odd keyboard behavior, where some keys cannot be captured properly in the host application or are not forwarded quite the way they normally behave. In the newer releases of the WebView SDK there's a new option called `AllowHostInputProcessing` that allows for forwarding keyboard events more aggressively to the host which fixes some Windows behaviors and introduces some new issues.

Fighting through Setting up Microsoft Trusted Signing

Rick Strahl — Mon, 21 Jul 2025 00:56:23 GMT

It's that time of year again to update my CodeSigning certificate, only to find out that the rules have changed since I last did this. Certs now require either a physical hardware key or a online service provides the non-exportable keys to sign binaries along with massive price increases for the privilege. So I decided to give Microsoft's new Trusted CodeSigning service a try, and while that entails all the joy of setting up Azure services, at the and of the day it works and is a considerably more economical way for CodeSigning to work. In this post I describe how to set this up hopefully to help you avoid some of the pain I went through.

Centering a WPF TreeViewItem in the TreeView ScrollViewer

Rick Strahl — Wed, 16 Jul 2025 04:23:03 GMT

One of the annoying features of the TreeView in WPF is the inability to easily select and make an item prominently visible. While there is `TreeView.BringIntoView()` it doesn't do a good job dropping the item that the very bottom (or top) of the viewport with no way to center. In this post I show a few helper methods that facilitate this process and a few related tasks with some useful TreeView helpers.

Unpacking Zip Folders into Windows Long File Paths

Rick Strahl — Sun, 22 Jun 2025 11:00:48 GMT

Ah, long file paths bit me again today - this time with `ZipFile.ExtractToDirectory()` not unzipping long path files, even when specifying long path syntax for the output folder. In this post I briefly review Windows long path issues again, and describe what doesn't work and how to work around this particular problem. While specific to `ExtractToDirectory()` a similar approach might apply to other batch file based operations.

Adding Runtime NuGet Package Loading to an Application

Rick Strahl — Tue, 10 Jun 2025 04:40:37 GMT

It's not a common use case, but if you need need to dynamically add external code at runtime, NuGet packages are the most familiar way for developers to add that functionality besides old-school direct assembly loading. In this post I look at my LiveReloadServer local Web Server tool and how I integrated both external assembly loading and NuGet package support to allow extensibility for the Razor (and Markdown) scripting functionality of LiveReloadServer.

Distinguished Name on FileZilla Server Self-Generated Certs

Rick Strahl — Fri, 06 Jun 2025 20:44:04 GMT

Renewing Filezilla certificates I've run into a 'huh?' moment a few times trying to renew the self-signed certificates for the Administration interface. Trying the obvious entries of putting in the DNS names results in an error that's not perplexingly is fixed by providing a full Common Name instead.

Configuring Microsoft.AI.Extensions with multiple providers

Rick Strahl — Sat, 31 May 2025 08:56:33 GMT

Microsoft.Extensions.AI is the new base library for creating AI clients in an abstracted way. While the library does a great job with the abstraction of the interfaces it works with, the provider interfaces that create the intial abstractions like IChatClient are a lot less user friendly with hard to discover syntax based on extension methods and different syntax for each provider. In this post I review three providers and how to get them instantiated along with a small streaming example to use them.

Lazy Loading the Mermaid Diagram Library

Rick Strahl — Sun, 11 May 2025 09:26:29 GMT

The Mermaid library is a large beast, and if you're using it selectively in your Web content you probably want to make sure you don't load it unless you actually need it, due to it's download footprint and load time. If you're loading Mermaid with server only code it's pretty straight forward, but if you use it on the client there you may want to delay loading the library until you actually need to display a diagram.

WebView2: Waiting for Document Loaded

Rick Strahl — Tue, 06 May 2025 21:50:16 GMT

WebBrowser loading is always async and the WebView2 control is no different - in fact it's more complex as there a number of events that need to be handled in order to properly handle loading the control. In this post I describe how you can create a simplified load checking routine, or use the Westwind.WebView library and WebViewHandler to wait on content and process document access using linear `await` syntax.

Avoiding WPF Image Control Local File Locking

Rick Strahl — Mon, 28 Apr 2025 22:01:46 GMT

WPF locks local images when referenced via a Source attribute. In this post I discuss why this might be a problem and how you can work around it using native XAML and custom binding converter that provides a consolidated approach that includes image caching for better performance of reused images.

The Strong ARM of .NET: Wrestling with x64 and Arm64 Desktop App Deployment

Rick Strahl — Sat, 19 Apr 2025 08:35:43 GMT

.NET works great for cross-platform development making it easy to build apps that are cross-platform and cross-architecture specifically for x64 and Arm64. However, building a distributable application that can install and run out of box on both of these platforms, that's a bit more effort. In this post I discuss some of the gotchas and how to work around them to distribute apps that run out of the gate on both platforms.

Using Windows.Media SpeechRecognition in WPF

Rick Strahl — Tue, 25 Mar 2025 04:33:00 GMT

Windows has a pretty capable SpeechRecognition engine built-in via Windows Media services. In .NET these features are accessible via the Windows SDK (WinSdk) that expose these Windows features to .NET applications. In this post I discuss how you can integrate these features into a WPF application, and discuss some of the pitfalls along the way that you have to watch out for related to the SDK integration 'features'.

Making Html Input Controls Truly ReadOnly

Rick Strahl — Fri, 14 Mar 2025 20:26:04 GMT

A discussion of how to show readonly controls in user interface and ensuring that they are not UI activated. This post discusses readonly and disabled behavior and how you can make readonly behave better if you choose to use it over disabled.

Accessing Windows Settings Dialogs from Code via Shell Commands

Rick Strahl — Thu, 13 Mar 2025 22:40:22 GMT

Windows has support for an `ms-setting:` Protocol Handler/Uri Scheme that allows you to directly open most Windows settings dialogs directly via simple Url based shell commands.

Resolving Paths To Server Relative Paths in .NET Code

Rick Strahl — Sun, 09 Mar 2025 06:39:18 GMT

ASP.NET Core has support for resolving Urls in Controllers and Razor Pages via embedded `~/` links in Views and via `Url.Content()`. But, these features are tied to Controllers or Razor Pages - what if you need to resolve Urls elsewhere, in middleware or even inside of business logic? In this post I describe how you can build a couple of helpers that are more flexible and also provide some additional functionality of resolving site root and relative paths to full site root paths.

Inline Confirmations in JavaScript UI

Rick Strahl — Thu, 27 Feb 2025 09:02:10 GMT

Confirmation dialogs or modal popups can be annoying in HTML applications. What if you could instead use an inline UI to confirm an operation? In this post I describe a simple way you can use an inline UI to confirm an operation that can be easily implemented with a few lines of code and a couple of binding directives.

Retrieving Images from the Clipboard Reliably in WPF Revisited

Rick Strahl — Sat, 22 Feb 2025 08:09:36 GMT

The WPF Clipboard is notoriously bad for retrieving image data, mainly because of the funky behavior of the ImageSource control into which clipboard data is loaded. WPF cuts a lot of corners when retrieving images and there are many scenarios where Clipboard.GetImage() either crashes or doesn't render the supposedly successfully retrieved image. In this post I review some of the challenges and how you can work around the retrieving an ImageSource with an intermediary load of a bitmap in between to provide reliable image retrieval from the clipboard in WPF.

Comparing Raw ASP.NET Request Throughput across Versions: 8.0 to 9.0 Edition

Rick Strahl — Sun, 19 Jan 2025 22:51:02 GMT

Once again I'm taking a look at the newish .NET release and how it compares to the previous release - this time .NET 9.0 from .NET 8.0. I'll run my simple load tests to compare performance and also discuss a number of anecdotes from running .NET 9.0 in production apps for the last couple of months.

Back to Basics: Using the Parallel Library to Massively Boost Loop Performance

Rick Strahl — Fri, 27 Dec 2024 23:37:19 GMT

I recently had another occasion to add Parallel.ForEachAsync() into an application to improve performance of an Http look up operation drastically. When I tweeted a note on X there was quite a bit of response, so I thought I follow up and discuss Parallel use in this use case and when it makes sense to use Parallel in applications.

Getting the Current TabItem when the Tab is not selected in WPF

Rick Strahl — Sat, 09 Nov 2024 09:10:44 GMT

There's no direct support in WPF to find the control that the mouse is hovering over in Items controls like the TabControl, so if you need to bring up context sensitive information like a context menu or tooltip it takes a little extra effort to get the correct item to work with in this case ContextMenuOpening.

Using SQL Server on Windows ARM

Rick Strahl — Thu, 24 Oct 2024 21:59:54 GMT

I recently got a SnapDragon X Elite ARM device to play with and while I've been impressed with all things that work very well on it, one thing did not install easily: SQL Server. There's no ARM version of SQL Server and the x64 versions don't run on ARM devices. Docker images are also amd64 so that didn't work well either. Turns out you can use LocalDb onin emulation mode, but setting it up is anything but intuitive. In this post I discuss how to get SQL Server to run on a Windows ARM device.

Getting the ASP.NET Core Server Hosting Urls at Startup and in Requests

Rick Strahl — Wed, 04 Sep 2024 09:31:35 GMT

Ever need to retrieve an ASP.NET application's hosting Urls? There are million ways to set these URLs but there's no easy fixed location where you can pick the addresses up from. Instead you have to go through a bit of a dance, and use one of two approaches depending on whether you need the addresses during startup or inside of a request.

Nuking Local Nuget Package Sources to show newly Published Packages

Rick Strahl — Sun, 04 Aug 2024 23:52:12 GMT

Every once in while when I publish a NuGet package and then try to use the published package in another project I end up with a situation where the new package simply is not recognized. Most of the time it shows up after a few minutes, but on more than a few occasions I've stuck waiting for quite a while waiting for the package cache to refresh. Luckily there's a way to nuke the cache and force Nuget to re-read local packages and while that is the nuclear option that requires downloading a lot of packages it works to make your project compile - right now!

Create a .NET PlantUML Markdown Render Extension

Rick Strahl — Mon, 29 Jul 2024 22:16:35 GMT

PlantUML is a Web based diagramming markup language that can be used to create diagrams using text descriptions that are rendered into images via a PlantUML server. In this post I describe how you can integrate PlantUML image rendering into your .NET application, specifically from a Markdown rendering perspective as Markdown documents are the most common mechanism that PlantUML output is delivered.

Back to Basics: Await a Task with a Timeout

Rick Strahl — Thu, 25 Jul 2024 21:48:00 GMT

Sometimes it's useful to call async methods and be able to stop waiting after a given timeout period. Unfortunately there's no native support on Task to provide this. In this short post I show how you can simulate timeouts and provide a couple of helper methods to make the process generically available.

Work around the WebView2 NavigateToString() 2mb Size Limit

Rick Strahl — Tue, 23 Jul 2024 07:53:44 GMT

The WebView2 control's NavigateToString() method has a limit for the string size of 2mb, which can be a problem especially for HTML pages with embedded content. In this post I'll describe how this problem can show up and show a couple of ways to work around the issue.

Dealing with Platform Specific Classes and Methods in CrossPlatform .NET

Rick Strahl — Fri, 19 Jul 2024 07:02:59 GMT

If you deal with old .NET library code that is sprinkled with some Windows specific code in places you've likely run into places where the Windows specific code is throwing up unwanted compiler warnings. Sometimes that matters, but often times these warnings are annoyances as these methods are highly unlikely to get called from x-platform code. In this post I describe some annoyances, how you can work around them and eventually fix the issues without throwing everything out the window.

C# Version String Formatting

Rick Strahl — Fri, 14 Jun 2024 06:12:37 GMT

I'm tired of trying to format versions for user facing interfaces after fumbling with it again and again. In this short post I show a small helper extension method that lets you configure how to form user friendly version strings to display to end users.

Mime Base64 is a Thing?

Rick Strahl — Mon, 27 May 2024 07:50:45 GMT

Ran into an old legacy application recently that required that attached data was preformatted to Mime Base64 which I never even heard of before. Turns out it's a 'url-safe' version of base64 that replaces certain characters that can be present in base64 with 'safe' characters. In this short post I show a small helper that handles several Base64 Mime operations.

Speed up your Start Menu by disabling Web Search

Rick Strahl — Sat, 04 May 2024 06:53:30 GMT

If you're like me, you've probably cursed the Windows Start menu from time to time, when it's either very slow to pop up, or in some instances fails to pop up at all when you press the Windows key. This simple tip can drastically improve performance of your Windows Start Menu by simply disabling Web search.

ASP.NET Core Hosting Module with Shadow Copy Not Starting: Separate your Shadow Copy Folders!

Rick Strahl — Mon, 29 Apr 2024 01:06:35 GMT

I recently ran into a major failure related to Shadow Copying for an ASP.NET Web app on IIS which was caused by corruption of the Shadow Copy directories. The app starts with the dreaded white ANCM Error page and event log entries that point at missing application folders. It turns out that this is caused by interference of multiple applications using the same shadow copy folder. In this post I describe the problem and how to work around it.

Programmatic Html to PDF Generation using the WebView2 Control with .NET

Rick Strahl — Wed, 27 Mar 2024 07:59:52 GMT

In this post I describe how to use the Microsoft WebView2 control to automate HTML to PDF generation generically for any kind of Windows application, including services. We'll look at the WebView and it's printing functionality and some of the intricacies that are involved in hosting the WebView control outside of a desktop application context to provide unattended mode even in service context.

Comparing Raw ASP.NET Request Throughput across Versions

Rick Strahl — Fri, 08 Mar 2024 10:21:08 GMT

When I set up a new machine I usually use a small ASP.NET test project to get a feel of performance of the machine and when that happens I also take a moment to compare performance across recent versions of .NET to see how things are improving - and improved they have. Both due to the new hardware I'm using but also ASP.NET continues to bump up performance in every new version that comes out. In this post I describe a simple project with minimal do nothing requests to test the ASP,.NET pipeline locally and how to test these request as well as discussing the results.

Reading Raw ASP.NET Request.Body Multiple Times

Rick Strahl — Tue, 20 Feb 2024 23:08:09 GMT

Some time ago I wrote about accessing raw request body content in ASP.NET Core which ended up being one of the most popular posts on this blog. But I failed to mention one major caveat: By default Request.Body can only be read once. In this post I discuss why frequently when you need raw Request.Body access you actually need to read the body more than once, and you can enable that functionality and deal with the caveats of doing so.

Sharing Tab Missing in Windows 11 Folder Properties

Rick Strahl — Wed, 10 Jan 2024 22:54:27 GMT

For some unfathomable reason, Windows 11 has removed the Sharing Tab on the Explorer Properties Context menu by default. The Sharing Tab allows you to shared folders and drives for remote access. In this post I discuss how to get the Sharing Tab back and also touch on how to make sure your machine can actually accept remote connections so you can share your folders and drives.

Working around the WPF ImageSource Blues

Rick Strahl — Thu, 04 Jan 2024 05:36:29 GMT

The WPF Image control and its ImageSource property can be problematic if you are loading a lot of images in a list. Depending on where you load images from, and how, you can very easily get bogged down with slow, blocking load operations, and memory leaks when the controls are released. In this post I describe a couple of specific problems I ran into loading a sizable list of images from files and show a few ways how to avoid the potential pitfalls related to ImageSource peculiarities.

Integrating OpenAI Image Generation into a .NET Application

Rick Strahl — Thu, 21 Dec 2023 22:22:07 GMT

Image Generation AIs are proving to be very good at creating images that can be used for all sorts of purposes. In this article I discuss how you can integrate image generation right into your own .NET applications using the OpenAI REST API. In addition I'll show how you can integrated this functionality into a larger application and discuss some general thoughts on image AI usage based on some of the experiences from a developer/non-designer user perspective.

Embedding a minimal ASP.NET Web Server into a Desktop Application

Rick Strahl — Tue, 28 Nov 2023 08:42:36 GMT

Did you ever need to embed a Web Server into a non-Web application? In this post I describe how you can use host ASP.NET in a non-Web application and specifically in a WPF desktop app. What do you need, how is it different and some of the issues that you need to consider if you want to use ASP.NET in your non-Web applications.

Save Files With Elevated Permissions on UnauthorizedAccessException

Rick Strahl — Fri, 03 Nov 2023 19:48:56 GMT

If you have an application that generically allows you to edit and save files, you might on rare occasions need to save files in locations that where a regular user account does not have permissions to save. Rather than failing wouldn't it be nice to let the user know and optionally allow saving with elevated permissions? In this post I describe the workflow and implementation on how to do just that.

Caching your WebView Environment to manage multiple WebView2 Controls

Rick Strahl — Tue, 31 Oct 2023 22:10:59 GMT

I've been struggling with rare WebView initialization errors in one of my applications, that have been difficult to debug and track down. After a lot of trial and error I discovered that the problem is related to WebView Environment instantiations that might be stepping on each other. In this post I describe the problem and a solution that involves creating a single WebView Environment and reusing it for all WebView initialization.

Rolling Forward to Major Versions in .NET

Rick Strahl — Tue, 03 Oct 2023 08:12:27 GMT

.NET Core has sophisticated policies that allows your applications that are compiled to specific versions of the .NET Runtime can roll forward to newer versions. You can specify what part of the version to roll forward and that generally works well, except for preview releases which require an extra step.

IIS Error 500.19 with ASP.NET Core Application

Rick Strahl — Tue, 19 Sep 2023 10:02:02 GMT

Running on IIS locally is pretty rare, but if for some odd reason you decide to run IIS locally on your dev machine you might find yourself getting a 500.19 error which relates to an issue in the web.config configuration. The solution is simple enough: Make sure the ASP.NET Core Hosting Module is installed. In this post I describe in more detail what the problem is and why you need a seemingly superfluous extra install to get IIS and ASP.NET Core to cooperate on local dev machine.

Dotnet Tool Component not found on the Mac

Rick Strahl — Tue, 12 Sep 2023 02:05:47 GMT

I've run into this problem a few times: I install a new Mac OS and then install the .NET SDK. A bit later I install a dotnet tool using `dotnet tool install -g` and then try to run it, only to find out that the SDK is not able find it. This post is a note to self on how to fix the pathing for .NET tools to be found correctly and to be able to run your dotnet tools.

Map Physical Paths with an HttpContext.MapPath() Extension Method in ASP.NET

Rick Strahl — Wed, 16 Aug 2023 02:02:14 GMT

ASP.NET Core doesn't have a Server.MapPath() method as classic ASP.NET had, and getting at the root path in Core is a little bit more involved than in those older versions. In this post I describe how to find the application Content and Web root folders and describe a MapPath() helper that simulates the old behavior.

A WPF Statusbar Control

Rick Strahl — Tue, 08 Aug 2023 23:21:45 GMT

Statusbar controls are boring, but because of the way that they are used there are a number of caveats like ensuring the UI updates even in linear code, allowing for timeouts of status messages and resetting to default, and to provide some visual clues to draw attention to the status messages displayed. In this post I talk about a custom status bar control and helper that make it super easy to use a new status bar control or attach additional functionality to an existing status bar.

Getting the .NET Desktop Runtime Installed with a Custom Runtime Checker and Installer

Rick Strahl — Thu, 22 Jun 2023 04:29:41 GMT

I've recently moved my Markdown Monster Desktop Application to .NET 7.0 and I had to make a decision on how to get the Runtime installed or packaged with my application. In this post I review the different deployment modes, the plus's and cons and the solution I ended up with which was to build a custom install wrapper that can check and install the runtime if not already present from an Installer or interactively.,

Rick Strahl's Web Log

Azure Trusted Signing Revisited with Dotnet Sign

Setting up Trusted Signing

Local Signing: Enter dotnet sign

Install .NET SDK

dotnet tool and the .NET SDK

Install Azure CLI

Logging into Azure CLI

Install Dotnet Sign

Using Sign Code Artifact Signing

Putting it all together into a Signing Script

Dotnet Sign is Much Better

Summary

Resources

Don't use the Microsoft Timestamp Server for Signing

Use a different TimeStamp Server

Resources

Reliably Refreshing the WebView2 Control

Why Hard Refreshes matter

WebView2 Reload()

Dependent Resource Refreshing

Hard Refresh in the WebView

Interactive Hard Reload with Keyboard Shortcuts

Programmatic Hard Reload

Good - Replace the Url

Better - Simple Cache Revocation

Best - Hard Cache Revoke like Browser Hard Refresh

Also Recommended: ClearCache()

Also Useful For Navigation

Summary

Resources

What the heck is a `\\.\nul` path and why is it breaking my Directory Files Lookup?

Using the new WebView2 AllowHostInputProcessing Keyboard Mapping Feature

Fighting through Setting up Microsoft Trusted Signing

Centering a WPF TreeViewItem in the TreeView ScrollViewer

Unpacking Zip Folders into Windows Long File Paths

Adding Runtime NuGet Package Loading to an Application

Distinguished Name on FileZilla Server Self-Generated Certs

Configuring Microsoft.AI.Extensions with multiple providers

Lazy Loading the Mermaid Diagram Library

WebView2: Waiting for Document Loaded

Avoiding WPF Image Control Local File Locking

The Strong ARM of .NET: Wrestling with x64 and Arm64 Desktop App Deployment

Using Windows.Media SpeechRecognition in WPF

Making Html Input Controls Truly ReadOnly

Accessing Windows Settings Dialogs from Code via Shell Commands

Resolving Paths To Server Relative Paths in .NET Code

Inline Confirmations in JavaScript UI

Retrieving Images from the Clipboard Reliably in WPF Revisited

Comparing Raw ASP.NET Request Throughput across Versions: 8.0 to 9.0 Edition

Back to Basics: Using the Parallel Library to Massively Boost Loop Performance

Getting the Current TabItem when the Tab is not selected in WPF

Using SQL Server on Windows ARM

Getting the ASP.NET Core Server Hosting Urls at Startup and in Requests

Nuking Local Nuget Package Sources to show newly Published Packages

Create a .NET PlantUML Markdown Render Extension

Back to Basics: Await a Task with a Timeout

Work around the WebView2 NavigateToString() 2mb Size Limit

Dealing with Platform Specific Classes and Methods in CrossPlatform .NET

C# Version String Formatting

Mime Base64 is a Thing?

Speed up your Start Menu by disabling Web Search

ASP.NET Core Hosting Module with Shadow Copy Not Starting: Separate your Shadow Copy Folders!

Programmatic Html to PDF Generation using the WebView2 Control with .NET

Comparing Raw ASP.NET Request Throughput across Versions

Reading Raw ASP.NET Request.Body Multiple Times

Sharing Tab Missing in Windows 11 Folder Properties

Working around the WPF ImageSource Blues

Integrating OpenAI Image Generation into a .NET Application

Embedding a minimal ASP.NET Web Server into a Desktop Application

Save Files With Elevated Permissions on UnauthorizedAccessException

Caching your WebView Environment to manage multiple WebView2 Controls

Rolling Forward to Major Versions in .NET

IIS Error 500.19 with ASP.NET Core Application

Dotnet Tool Component not found on the Mac

Map Physical Paths with an HttpContext.MapPath() Extension Method in ASP.NET

A WPF Statusbar Control

Getting the .NET Desktop Runtime Installed with a Custom Runtime Checker and Installer

`dotnet tool` and the .NET SDK