How to sign a ClickOnce application

Question

I have a ClickOnce application that I built for a client, and I need it to be from a trusted publisher. How do I go about acquiring an Authenticode certificate and sign my application with it? So that when the application is launched, it's from a trusted publisher?

How do I install the certificate? Do I have to install it on my development server or does it matter where I install it?

How does the whole process work? I don't want to spend 3-5 hundred dollars on a certificate, and install something wrong and be out of luck.

Are there good tutorials on purchasing and installing a certificate and signing a ClickOnce application?

Answer 1

I recently went through this process. A certificate is not that expensive - we got a code-signing certificate for less than a $100.

After you have the certificate, follow the FAQ HOWTO: Code signing how-to* to sign your code (binaries).

After that, you have to go to project properties -> Signing and upload your certificate there as well (it's for ClickOnce). You can skip code signing though and sign ClickOnce only.

ClickOnce requires a certificate for code signing, and others will not work, see ClickOnce Deployment and Authenticode:

For ClickOnce applications, you must have an Authenticode certificate that is valid for code signing; if you attempt to sign a ClickOnce application with another type of certificate, such as a digital e-mail certificate, it will not work.

Jan'18 UPDATE: StartSSL is not trusted anymore, and I did NOT find any free (or similar to what StartSSL was offering) code signing certificates. At the end of the day, I went with ksoftware.net - $84/year for Comodo code-signing certificate (but you need to have DUNS record available for them to check!)