I want to create an application that is easy to install. The installation process is quite complex (lots of permissions, firewall rules, services, etc.). So I decided to write the setup program in C# (.net 4), and then make the setup program itself a click-once install.

The idea was that the user would go to the website, click install, my setup program would be installed on their computer by click once, and then it would run, setting up the main program.

In order to make this an easy process, I obviously had to sign all the executables. I bought a Comodo code signing certificate, installed it in my certificate store, and ticked "Sign the Click Once manifests" in VS Express 2012. I also included a post-build step which ran

SIGNTOOL.EXE sign /f TrumphurstCodeCertificate.pfx /p <my password> TimeClockSetup.exe

I cleaned everything out of my build folder and the deployment website, and ran a clean build.

I checked the properties of the executable in the build folder, and it was shown as published by me.

I published the program to the web site, started a different Windows 8 computer, navigated to the web site, and clicked the Install button.

I was prompted Do you want to run or save setup.exe, and selected run.

Then I was prompted setup.exe is not commonly downloaded and could harm your computer - I clicked Actions, and it said This program might harm your computer. It did say the publisher was Trumphurst Ltd, and gave me the option to run anyway, which I clicked.

Then I got "Open File - Security Warning", for ".....\TimeClockSetup.exe", "Publisher: Unknown Publisher".

How come the exe showed as Unknown publisher?

I browsed to the exe in the user data directory it had been installed in, and no "Digital Signatures" tab showed in the Properties dialog.

However, if I browse to the exe in my build folder,it has a signature.

[Later] I remember reading somewhere that some parts of the build or publish process use the exe file in the obj folder rather than the one in the build output folder, so I added signing that to the post build steps - it made no difference.

You need to purchase an Authenticode certificate for your development company (or yourself) and sign the application. To sign, look at your project's properties and go to the 'signing' category. Choose 'Sign the Assembly' and you can select your certificate to sign with.

Make sure this is just the root certificate, or VS won't be able to use it. Also, the end-user will need to have the full certificate path installed for the machine to recognize you as being a trusted publisher.

If you export your certificate from your machine with the full certificate path, you can move this file to the client machine and install the certificate to both the TrustedPublishers and Root-CA store.