Code-signing certificates are installed into the personal store. On the build machine – did you install for the build service account? Note that strong name signing the assembly has nothing to do with Authenticode signing the manifest.
I just spent some time on the ClickOnce manifest signing myself and finally got it to work. Here are the details of my findings in case they help someone.
When generating the PFX file – you need to specify the password.
When PFX is password-protected – MSBuild will fail to auto-install the certificate:
2618: Cannot import the following key file
Even though you’re not auto-installing, the CSPROJ file still has to have
<ManifestKeyFile>
specified (not just<ManifestCertificateThumbprint>
) – otherwise MSBuild won’t invoke the SignFile task correctly:4677: The "SignFile" task was not given a value for the required parameter "CertificateThumbprint"
You can install and sign with certificate by invoking Microsoft SDKs\Windows\v7.0A\bin\signtool.exe in a command – but then your CSPROJ has passwords in clear text.
Project > Properties > Signing > Select from File seems to be the best route. But these steps will have to be performed manually for each account so that you can enter the password from step 1 and get the certificate into the personal store.
The easiest way to verify the magic: download the ClickOnce drop, right click setup.exe > Properties > Digital Signatures > your certificate.