[regression/8.0.3] DEP0700 error when starting Maui Blazor Hybrid app without capability "runFullTrust"

[martinstoeckli]

Description

Wanted to update an existing project from .Net 7.0 to .Net 8.0, but cannot deploy it without capability "runFullTrust" anymore. Tried the same with a new clean Maui-Blazor-Hybrid project and got the same behaviour.

The error list shows this error:

DEP0700: Registration of the app failed. App manifest validation error: Line 26, Column 6, Reason: The element specified requires "runFullTrust" capability

Apps requiring "runFullTrust" are rejected in the Microsoft store, so keeping this capability is no option for me and the app never required it before. Cleaning and restoring all NuGet packages didn't change anything.

Steps to Reproduce

1. Create new project ".Net MAUI Blazor Hybrid App"
2. Choose ".NET 8.0 (Long Term Support)
3. Compile and start the "Windows" app, it works correctly
4. Open "MyApp\MyApp\Platforms\Windows\Package.appxmanifest" and remove line <rescap:Capability Name="runFullTrust" />
5. Compile and start the app again

VisualStudio will respond with error message "The project needs to be deployed before we can debug. Please enable Deploy in the Configuration Manager". The Error List shows the message "DEP0700: Registration of the app failed. App manifest validation error: Line 26, Column 6, Reason: The element specified requires "runFullTrust" capability".

Link to public reproduction project repository

No response

Version with bug

8.0.3

Is this a regression from previous behavior?

Yes, this used to work in .NET MAUI

Last version that worked well

7.0.101

Affected platforms

Windows

Affected platform versions

net8.0-windows10.0.19041.0

Did you find any workaround?

No response

Relevant log output

No response

[drasticactions]

Description

Apps requiring "runFullTrust" are rejected in the Microsoft store, so keeping this capability is no option for me.

This is not true. You can submit apps to the Microsoft Store with runFullTrust enabled (It is the default for WinUI 3 templates, which these templates I believe are based on). That said, if there are things in Maui / Maui blazor that are requiring it, then that would be problem since it probably should not be needed.

But this is not a blocker from releasing to the store. You can submit it and it should go through regardless of that setting.

[martinstoeckli]

Well, I have an app which was rejected because of this, fortunately it didn't require special privileges, so I could just remove the capability. But maybe they changed their rules by now.

[samhouts]

@mkArtakMSFT fyi

[martinstoeckli]

I just discovered that in version 7, the "runFullTrust" capability is added automatically to the binaries, even if not declared in the manifest. So it could be, that there was no error message because the capability was added in the background, not because it was unnecessary.

This probably also means that @drasticactions is right and such apps are now accepted in the store. The app that was rejected, was uploaded some time ago as UWP app.

[Eilon]

@martinstoeckli very interesting discovery! So do you think there's still any issue to fix here? Or has the issue resolved itself due to store changes

[martinstoeckli]

@Eilon - I uploaded a "package flight" version for testing the new version, it is still in review state, but I can get back with the result. Edit: Still waiting for approval...

[martinstoeckli]

Ok the app was accepted even with the runFullTrust capability. It is a "Package flight" not a public release, but probably the review process is the same.

[BurkusCat]

I get the same error message as OP when trying to remove the runFullTrust capability: "The element specified requires "runFullTrust" capability".

Although store submission is possible with this permission, its a bit jarring to request it without the app actually needing it? A couple of reasons why I think it should be possible in MAUI to run in partial trust:

1. For security reasons - many, many apps don't do anything that require full trust. But by requesting full system resources any vulnerability in the app suddenly has huge overreaching access to basically everything.
2. User perception - customers are (correctly) increasingly over time, scrutinising the permissions their apps request. Apps on the Windows Store with this permission display the message "This app can: Access all your files, peripheral devices, apps, programs and registry". For many apps, it will be clear to users that all this access is completely unnecessary to achieve the functionality they provide.

I think it is important for this issue to be fixed in MAUI to allow lowering the permission levels required.

[Eilon]

I've been reading a bit about this and I don't think this is Blazor-specific and likely not even .NET MAUI-specific. I found this thread about WinUI3 and full trust: https://github.com/microsoft/WindowsAppSDK/discussions/1900

It seems to describe that full trust is easiest by default and is likely what most developers want (which I agree with). But that there are options if you don't want full trust.

The Windows manifest is editable in a .NET MAUI app so presumably you could set various permissions there instead of full trust.

I'm not sure which specific permissions are required instead, but someone would need to test that out and confirm if it is possible to use a specific set of permissions and get it validated.

[martinstoeckli]

The Windows manifest is editable in a .NET MAUI app so presumably you could set various permissions there instead of full trust.

Maybe I misunderstood your idea, but this is what I actually did. I edited the "Package.appxmanifest" file, removed the "runFullTrust" and added some minor capabilities. Somewhere in the building process of version 7 the capability is added again, so that the manifest in the binaries contains "runFullTrust" again, regardless what I defined in the manifest. In version 8 it cannot be started by VisualStudio without the capability.

[Eilon]

The Windows manifest is editable in a .NET MAUI app so presumably you could set various permissions there instead of full trust.

Maybe I misunderstood your idea, but this is what I actually did. I edited the "Package.appxmanifest" file, removed the "runFullTrust" and added some minor capabilities. Somewhere in the building process of version 7 the capability is added again, so that the manifest in the binaries contains "runFullTrust" again, regardless what I defined in the manifest. In version 8 it cannot be started by VisualStudio without the capability.

Oh interesting I definitely missed that part. So something just keeps adding it back to the built app?

[Eilon]

Ah so that particular aspect seems to be the same as this issue: https://github.com/microsoft/microsoft-ui-xaml/issues/7766. And it seems that issue was fixed about a year ago (sorry for earlier edit, I forgot what year it is 😁 )

[martinstoeckli]

Sorry, I should have written it more clear I think:

• .Net SDK7 Project: The "runFullTrust" is readded in the build process to the "Package.appxmanifest", this problem does not hinder me, since I try to move do version 8.
• .Net SDK8 Project: The "runFullTrust" is not readded in the build process, VisualStudio successfully builds the project. But as developer I cannot start the project for debugging, because it cannot be published. The manifest validator won't accept the manifest without "runFullTrust" and stops the startup, this is where I'm stuck.

[Eilon]

Sorry, I should have written it more clear I think:

• .Net SDK7 Project: The "runFullTrust" is readded in the build process to the "Package.appxmanifest", this problem does not hinder me, since I try to move do version 8.
• .Net SDK8 Project: The "runFullTrust" is not readded in the build process, VisualStudio successfully builds the project. But as developer I cannot start the project for debugging, because it cannot be published. The manifest validator won't accept the manifest without "runFullTrust" and stops the startup, this is where I'm stuck.

Alright that's certainly weird.

Does the same thing happen in a regular WinUI3 project (without MAUI)?

[jaosnz-rep]

Verified this issue with Visual Studio 17.10.0 Preview 1, can repro on Windows platform with Maui Blazor project.

[vibollee]

Is there any feedback on this?