Code Signing for Visual Studio ClickOnce Deployments
Apr 5, 2026 · 9 views
ClickOnce deployment in Visual Studio requires code signing for security prompts. Without a valid signature, users see scary "Unknown Publisher" warnings. Here's how to automate ClickOnce signing with OneSigner.
The ClickOnce Signing Problem
Visual Studio can sign ClickOnce manifests during build, but:
- Requires manual PIN entry for EV certificates on USB tokens
- Breaks automated builds (CI/CD) — no interactive session
- Timestamp server failures cause build failures
- SSL.com's CodeSignTool adds complexity and per-signature costs
Solution: Sign After Build with OneSigner
Instead of signing during build, build unsigned and sign after:
- Build ClickOnce in Visual Studio without signing
- Use OneSigner to sign the EXE and manifest files
- OneSigner handles PIN, timestamping, and retries automatically
Signing ClickOnce Manifests
# Sign the main application EXE
curl -X POST http://localhost:9440/api/upload
-H "Authorization: Bearer TOKEN"
-F "file=@publish/MyApp.exe"
# Sign the setup.exe
curl -X POST http://localhost:9440/api/upload
-H "Authorization: Bearer TOKEN"
-F "file=@publish/setup.exe"vs. SSL.com CodeSignTool
SSL.com offers CodeSignTool for CI/CD integration, but:
| SSL.com CodeSignTool | OneSigner | |
|---|---|---|
| Cost | $240–$480/year + per-sign | $99 one-time |
| Internet required | Yes (cloud HSM) | No (local token) |
| Speed | 200–800ms latency | Local, ~500ms |
| PDF Signing | No | Yes (bonus) |
| Vendor lock-in | SSL.com only | Any CA's certificate |
Automating with MSBuild
Add a post-build event in your .csproj:
<Target Name="SignAfterBuild" AfterTargets="Publish">
<Exec Command="curl -s -X POST http://localhost:9440/api/upload -H "Authorization: Bearer TOKEN" -F "file=@$(PublishDir)$(TargetFileName)"" />
</Target>