I am deploying a signed ClickOnce app on our company network. The app is a desktop application which is built by a build server and deployed to a shared drive location. It is signed with a Symantec Code signing certificate that we bought for our organization. Each developer has installed the certificate into their Personal store, and the same is true for the build server. The Personal store is the only location that is usable from VS for signing.
When I try to install the app on a non-development machine, I get the "Publisher could not be verified" warning. This happens even though the root certificate is present in the CA certificate store on the machine, and the code signing certificate is present in the Trusted Publishers store. Both certificates are shown as "OK" with a traceable path on the machine.
But if I install the code signing certificate to the Personal store (same as on the dev pcs), the warning goes away. Instead I get a friendlier dialog asking if the app should be installed.
The certificate appears in the Personal folder together with "Symantec Enterprise Mobile CA for Microsoft" and "Symantec Enterprise Mobile Root for Microsoft".
The app is built with .NET 4.71 and Visual Studio 2017, and the target machine is running Windows 10.
Questions:
Why am I required to install the certificate in the Personal store on the target pcs to make the warning go away? The docs https://msdn.microsoft.com/en-us/library/ms996418.aspx say that it is sufficient to have the root certificate in the "Trusted Root Certification Authorities"
Why can't I achieve a silent installation by installing the code signing certificate in the "Trusted Publishers" store? Doing this makes the warning appear again.
Is it a problem if the two intermediate and root certificates also appear in the Personal and Trusted Publishers folder? They are installed together with the code signing certificate.
The timestamp URL was not needed to achieve silent installation.
The solution was to install the 3 certificates (one at a time) in the correct folders in the certificate store on the target machine. The root certificate should go under "Trusted Root Certification Authorities" and the intermediate certificate should go under "Intermediate Certification Authorities".
Finally, the code signing certificate should go under "Trusted publishers".