Is there any chance you are trying to deploy a WPF application and using Visual Studio 2012 or later? If so, you have to use the "AfterCompile" setting in your project file to sign the application, or you end up with the hash mismatch.
See this stackoverflow post: SignTool Not Signing ClickOnce App Using SHA256, Only Uses SHA1
Which links to Robin's excellent blog solution: http://robindotnet.wordpress.com/2013/04/14/windows-8-and-clickonce-the-definitive-answer-revisited/