To publish an application using ClickOnce, the deployment manifests must be signed with a public/private key pair using Authenticode technology.
By default, when you first publish your application using ClickOnce, a Test Certificate will be created for you automatically and used to sign your deployment manifests. The key is named MyApp_TemporaryKey.pfx and can be found under your project in Solution Explorer.
Note: Only the deployment manifests need to be signed; you need not sign the application assembly.
You can also sign the manifests using a certificate from the Windows certificate store or a key file. You'll do all of the signing in the Signing tab of the project property window (see Figure 1-17). You also have the option to sign the application assembly, in addition to the manifests.
Figure 1-17. The Signing tab of the project property
Where possible, you should use a bona fide certificate to sign your application. Using the temporary key provided by Visual Studio 2005 does not enable your users to completely trust the source of your application, and every time the application launches the user will see the security warning message (see Figure 1-18). In addition, if an application manifest is signed with an authentic certificate, the user will not be prompted with the Application InstallSecurity Warning during installation time.
Figure 1-18. An application installed from an untrusted publisher