I have enabled signing in my click once application.

But the build server (TFS online services) do not have the certificate. Is there any way I can include the certificate in the repositiory and make the build server sign it or do I have to disable signing and do it manually after?

Instead of picking a cert from the store I checked in a file and picked from file instead.

Build server then gives me:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets (2482): Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.

(is it intended that I should check one in without the password and is that what others do? is it not dangerous to have private keys out there with no password.)

I created the following powershell script in the repository:

 [CmdletBinding()]
 param(
     [Parameter(Mandatory=$True)]
     [string]$signCertPassword
    )

$SecurePassword = $signCertPassword | ConvertTo-SecureString -AsPlainText -Force
Write-Output "Importing pfx"

Import-PfxCertificate -FilePath "YourPfxFile.pfx" -Password $SecurePassword Cert:\CurrentUser\My

and passed the password as a variable (locked)

I created CodeActivites for using Mage.exe and Signtool.exe and build the signing into my build template instead.

From /t:publish all files had .deploy extension and I had to create a XML Task that updates the manifest xml to support this.