I've been trying to distribute MANASYS Jazz (https://jazzsoftware.co.nz/) with ClickOnce, and I recently purchased an OV Code Signing Certificate to identify Jazz Software Ltd. However I found that a prospect was still unable to download my software, being blocked by the Microsoft Smartscreen. I then purchased an EV Code Signing certificate because "To be trusted by Microsoft, you need to earn application reputation. The only way to do that is with Extended Validation (EV) Code Signing. EV Code Signing boosts your SmartScreen reputation and gets your software trusted."
I have received my EV Code Signing Certificate, which is on a hardware token (USB). It cannot be copied from this, EV certificates are used from the token to sign your application, and I have been told that I will have to sign each build, I cannot simply load a .pfx file into the Signing page of the project. But how do I do this? The examples from Sectigo (the source of both certificates) show a process that uses Signtool to sign the application, with a command like this
signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "My company Inc." "C:\path\sto\fileToSign.exe"
If I have published my application with Visual Studio for ClickOnce there are several objects created, but only one .exe in the root folder, setup.exe. (All the objects in the Application subfolder have extension .Deploy). Can somebody confirm for me that it is Setup.exe that I need to sign? And will the absence of a valid certificate in the signing tab of the Visual Studio project cause a problem?
Thank you, Robert