ClickOnce Code Signing: "Select from Store" or "Select from File"?

Question

When you go to the Signing page for the project settings for a Click Once application, there are two options:

• Select from Store
• Select from File

We have the installed our certificate on all our developer machines and our build machines.

We can therefore choose either one, but if we choose "Select from File" it copies the PFX file into the project. (Interestingly, if the certificate is in your certificate store, publishing works fine even you delete the pfx file from the project).

So at the moment, we always choose "select from store" which is working fine.

But are we doing it right? Or is there some reason that we should use "select from file" instead? Is "select from file" only for when you don't have the certificate in your store?

Answer 1

I don't think it matters either way.

If you didn't have the certificate on all those machines, then it'd be quicker to get things going by doing "Select from file" and checking the .pfx into source control.

We limit the access to our password for our .pfx so it's a different story. We also need to change our manifest files post build. So we don't enable code signing at build and instead have a post-build process that signs things using the .pfx on a share. The build automation hides the password from its logs so no developer actually knows the password.

All three ways (from file, from store, post-build) end up getting you signed manifests. Each way has its pros and cons depending on company policy.