It turns out that it's really fussy about certificate Usages as specified in Enhanced Key Usage, as per the link I posted earlier.
During packaging, Visual Studio validates the specified certificate in the following ways:
- Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.
- Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
- Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.
- Verifies the existence of a private key exists.
- Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.
I had mistakenly though that by going to Certificate Properties - Certificate Purposes - Enable only the following properties and unchecking properties that were invalid for this purpose (i.e. everything but Code Signing) I could use a certificate that we already had. That doesn't work.
I resolved my problem by acquiring a certificate that did only have Code Signing as an Enhanced Key Usage.