I'll be honest with you, Paul. I've never been really thrilled with ClickOnce. The toolset has never really seemed to mature except from the manual publishing/deploy side. Running the stuff through MSBuild has never been a good experience and Mage.exe always seems to have problems for me. Most of the time, my problems have revolved around the version number not being set correctly.
That said, I think our biggest troubles came from trying to manage things through the settings UI in Visual Studio. It has been helpful for me to try to rely a bit less on the MSBuild "magic" and pass the necessary parameters into MSBuild and take a little more control inside the csproj file.
I don't know what your build setup looks like, but, for us, we have Jenkins run a Rake file that invokes MSBuild on the solution. This allows us to send specific parameters into MSBuild from the Rake file.
Specifically, we push in values for ApplicationVersion
, ApplicationRevision
, MinimumRequiredVersion
, and the OutDir
. As far as things to watch out for in the csproj itself, you want to make sure that ManifestCertificateThumbprint
, ManifestKeyFile
, GenerateManifests
and SignManifests
are set. We also set the default build target to Publish
, but I'm not sure that that's all that relevant.
I can't speak to why ClickOnce would be "de-signing" your executable aside from maybe the executable you're signing may not be the one you think is being packaged in the ClickOnce package. In other words, it may be building a new executable and throwing that in the package instead of the one you've already signed. I think I'd have to know a bit more about your setup in order to make that call for sure, though.
For what it's worth, if I could do it again, I wouldn't put my eggs in the ClickOnce basket. It's really only a great experience for those running Internet Explorer or if you've installed the plugin for Chrome. It's more work, but I'm currently working on a solution that mimics the Chrome update story. They have a ClickOnce package for Internet Explorer users, but it's really only used to download a Windows installer package that installs Chrome.exe and Update.exe. They go into plenty of details in the technical documentation for Omaha (otherwise known as Google Update).