All code distributed with ClickOnce must be signed. That means its...Certificate Time!
c:\>MakeCert, CertMgr, WannaCert, CertLust, etc.
Brian Noyes wrote the definitive article on ClickOnce Trusted Authors and Security. You need to read it [carefully] if ClickOnce is in your future. I'll reiterate the primary steps here covering Signing the app with a Certificate as I experienced while in the Meat Grinder. This description is for an app not only built on a server on a different domain than the destination server, but which is also offline, as in "not connected to the Internet."
Regarding being non-connected to the Internet, you can publish an app in VS.NET to a file location and enter an installation URL for where the ClickOnce distrib will take place. That works great.
As for the Certificate, I'm not using a Thawte or VeriSign Cert. I want to go with one eventually, but for now I'm spinning my own, which is also described in Brian's MSDN article.
You can either create your cert on your development server at the command line to customize it (example below) or in Visual Studio.
C:\Program Files\Microsoft.NET\SDK\v2.0>makecert -pe -sp "Microsoft Enhanced Cryptographic Provider v1.0" -sky "signature" -n "E=myemailaddress,CN=My Company Inc" -ss "MY" -e "01/04/2010" c:\temp\MyDevCert4.cer
This places the .CER in your Personal Certification Store (the "MY" param.) VS.NET creates a .PFX and puts it into your Personal store automatically, but you have little ability to customize it. If you use the commandline to pretty-up your cert, you'll want to export the .CER with the private key to create the .PFX file. Pic below. (There's probably a way to create a .PFX at the commandline, but I've only been certificate-focused since last night.) VS.NET only looks in the Personal Store for your cert to sign your app, which is why if you create a certifcate it has to be there.
Here's what you want to know on the destination server. It needs the .NET 2.0 Redestributable AND the .NET 2.0 SDK (for the Certificate Manager.) Upload the ClickOnce app files to the destination server and--here's something that you'll want to kiss me on the lips for finding out--COPY YOUR DEVELOPMENT SERVER .PFX TO YOUR DESTINATION SERVER CLICKONCE directory. Then use the SDK command prompt and execute CERTMGR to add your uploaded .PFX certificate to both the Trusted Publisher Store and Trusted Root Stores.
There's a lot about Certificates I don't know, and there are other approaches to code-signing ClickOnce apps. This post should prevent some head-banging, unless you're into that sort of thing, in which case crank up some Van Halen 5150 and say "Heeeeellllooooo, Baaaaaby!"
