We have several applications that we install with ClickOnce to keep versions up to date. Unfortunately with Windows 8 we've been getting horrible SmartScreen notices that this code might be unsafe!!
I was pulling my hair out trying to find a way to convince the system that the code was safe, after all we built it and signed the deployment. Then I found the solution on robindotnet.wordpress.com:
Signing the application executable pre-publish (recommended solution)
The pre-publish command is executed after building the application and right before publishing it. There is no box for this under Build Events, so you have to add it to the project yourself. (Be sure to clear out the post-build event command line before doing this.)
To add a pre-publish command right-click on the project in Visual Studio and select “Unload Project”. Now right-click on the project again and select “Edit yourprojectname.csproj”. It will open the csproj file in Visual Studio so you can edit it. Go down to the bottom and add a new section before the </Project> line. You’re going to put your pre-publish command line in this section.
<Target Name=”BeforePublish”>
</Target>
So what do you put in this section? You are going to specify a command to execute, so you have to use Exec Command, and put the command to execute in double quotes. Since you can’t put double-quotes inside of double-quotes (at least, not if you want it to work), you need to change the double-quotes in your command to " instead. So my build command from above now looks like this:
<Exec Command=""C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\bin\signtool.exe" sign /f "$(ProjectDir)TestWin8CO_TemporaryKey.pfx" /p nightbird /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"" />
After making this match your parameters, save the csproj file and then close it. Then right-click on the project and reload it:
Now if you build your project, you won’t see anything about signing the application executable in the output window. It will only do it if you publish, and there won’t be logging letting you know it signed it. How do you know if it worked? Go to the folder you published to, and look in the Application Files folder. Locate the application executable in the folder for the new version. Right-click on it, choose properties. Look for a tab called “Digital Signatures”. If it’s not found, it’s not signed. If you do see it, go to that tab; it will show the signature list and the signer of the certificate. You can double-click on the signer and then view the signing certificate.
The Full Article with pictures is available at http://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/
Bless the internet.