I have a ClickOnce application that has worked without issue for some time. I'm now trying to deploy it to a customer who has tighter security restrictions: In IE they have a setting to only allow signed applications to run (Tools>>Internet Options>>Security Tab>>Internet>>Custom Level...>>Run components not signed with Authenticode=Disable, Run components signed with Authenticode=Enable).
They are able to run the application's SetUp.exe (the [Install] button on the default publish.htm) but when they attempt to click the launch link (that targets the app.application file rather than SetUp.exe) they get the following error:
Activation of https://{DOMAIN}/client/app.application resulted in exception. Following failure messages were detected:
Your Web browser settings do not allow you to run unsigned applications.
I can recreate the problem with the same IE settings but...
- The application is signed using a Thawte code signing certificate that expires in 2017. (Project>>Properties>>Signing>>Sign ClickOnce manifests.)
- The assembly is signed using a strong name key file.
- The SetUp.exe's properties (in Explorer) show a digital certificate but the .application (and .exe.manifest) don't....should they?
I've tried (re)signing the .application and .exe.manifest files using MageUI.exe but IE still complains that they're not signed.
It feels like I'm missing something obvious...any ideas?