Signing a VSTO add-in ClickOnce manifest

A couple of things to remember when releasing a VSTO add-in to production:

  1. The certificate used to sign the ClickOnce manifest
    1. Must be verifiable on the build machine (root CA and intermediate CAs must be trusted on the machine)
    2. Must be a certificate that has "code signing" among its purposes. This means that both of these items must be true:
      1. The Extended Key Usage (EKU) field of the certificate must either be unset or contain the EKU value for code signing (1.3.6.1.5.5.7.3.3). 1.3.6.1.5.5.7.3.3 indicates that the certificate is valid for code signing. Always specify this value to limit the intended use for the certificate.
      2. The Key Usage (KU) field of the certificate must either be unset or contain the usage bit for digital signature (0x80).
    3. Must include the private key
  2. Also, if you want to silently deploy the add-in to target machines by calling VSTOInstaller.exe with the "/s" (silent) switch, the public key of the certificate used to sign the add-in must be imported in the "Trusted Publishers" folder of the intended end user certificate store or the "Trusted Publishers" folder of the local machine certificate store

In the EKU certificate field you might also want to specify value 1.3.6.1.4.1.311.10.3.13 indicating that the certificate respects lifetime signing. Typically, if a signature is time stamped, as long as the certificate was valid at the point when it was time stamped, the signature remains valid even if the certificate expires. This EKU forces the signature to expire regardless of whether the signature is time stamped.