Why does the "Sign the ClickOnce manifests" checkbox keep defaulting to checked on build?

Question

Closely related to Sign the ClickOnce manifests checkbox keeps defaulting to checked on publish. None of the answers listed in this question have assisted me.

I have two projects in my solution, as well as other reference projects. One project is a C# Windows Presentation Foundation (WPF) (output type Windows Application), and when I uncheck "Sign the ClickOnce manifests" it remains unchecked after being built.

The second project, which is also the startup project, is a Visual Studio Tools for Office (VSTO) project (output type defaults to Class Library and cannot be changed). When I uncheck "Sign the ClickOnce manifests" in it and then build the solution (or just the project), the option is checked again after the entire build process completes.

I am not familiar with the XML data in the .csproj file, but I have found a few things that might be related:

1.

In the .csproj file for the VSTO project, there is a comment section which states:

This section enables pre- and post-build steps. However, in VSTO use
MSBuild tasks instead of these properties.       

The section defines <SignManifests>, <SignAssembly>, and <ManifestCertificateThumbprint>. The first two are false. The second has some unique key.

2.

After finding the comment about MSBuild tasks, I later found:

<!-- Include additional build rules for an Office application add-in. -->
  <Import Project="$(MSBuildExtensionsPath)\Microsoft\VisualStudio\v10.0\OfficeTools\Microsoft.VisualStudio.Tools.Office.targets" />

And this is a very large file with multiple references to signing and such. The project in which the Signing option remains unchecked does not have this <Import Project> line in its .csproj file.

Issue

Now, I'm not fully aware of what the .targets file is all about and am unwilling to go butchering it in search of a solution until I know what I'm after. Could this file be the cause of my problem? If so, how can I modify it to stop it from getting in my way? If not, has anyone encountered this before that can provide a solution?

Edit:

I just read How to not sign a ClickOnce manifest, which talks again about publishing. I am still curious if I can turn it off of my builds. I have no qualms about signing the application when I publish it, but I would prefer to build it without the default occurring.

Answer 1

Here's an article by a VSTO team member. https://blogs.msdn.microsoft.com/vsto/2009/04/29/signing-and-re-signing-manifests-in-clickonce-saurabh-bhatia/

The explanation is that VSTO requires signing for ClickOnce deployments, because the add-in must run under a heightened security model. The article goes into much more detail.