ClickOnce Azure trusted signing signed Excel plugin installer/manifest error on install more than 3 days after signing

[kenneththorman]

Describe the bug
I have a simple standard Microsoft Office Excel plugin. I need to codesign the plugin to allow for installation. I am using Azure trusted signing for signing the ClickOnce application.

Installing immediately after the signing works fine. Waiting for more than 3 days (or after the signing certificate has expired) yields an error during install.

Repro steps

1. Start Windows Powershell in Administrator mode (Windows 11 Home 26100.7171)
2. Compile and publish the Office Extention from Visual Studio IDE (Microsoft Visual Studio Community 2022 (64-bit) Version 17.14.21 (November 2025))
   I do not think the timestamp url was filled on the project properties page, but this should not matter? I have tested that the manifest is updated with the certificate used to sign (Running Visual Studio IDE publish it uses a My Computer local self signed certificate configured on the project properties page. After running sign.exe it is using the Azure trusted signing certificate - as I would expect - so the project properties timestamp setting should not matter?)
3. Run the following command on the publish directory for a simple ClickOnce Office extention/plugin
   & ./sign.exe code trusted-signing "D:\ExcelPlugin\ExcelPlugin.vsto" -tse https://weu.codesigning.azure.net -tsa ABCCodeSigning -tscp ABCCodeSigningCertificate -an ExcelPlugin -pn MyCompany -t "http://timestamp.acs.microsoft.com" -v trace
4. (Upload the ClickOnce application to the final publish location)
5. Install the ClickOnce application from the final publish location - this works fine ✅
6. Wait for the certificate to expire
7. Uninstall the ClickOnce application
8. Install the ClickOnce application from the final publish location - this throws an error ❌

Error during install is:

Name: ExcelPlugin
From: https://care.MyCompany.com/ExcelPlugin/ExcelPlugin.vsto

************** Exception Text **************
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for ExcelPlugin or its location is not trusted. Contact your administrator for further assistance.
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA2Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState, TrustStatus sha256TrustStatus, X509Certificate2 sha256PublisherCert)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer

Expected behavior
The timestamping of the ClickOnce application should allow the installation after the certificate used for codesigning has expired, so you can install at any time in the future

Actual behavior
Install fails

Additional context

• Include the output of sign --version. : 0.9.1-beta.25379.1+ba6e717abf74a693f0f9c5e891c0e3ef624956b3
• Include the output of dotnet --info. :

dotnet --info
.NET SDK:
 Version:           10.0.100
 Commit:            b0f34d51fc
 Workload version:  10.0.100-manifests.4c0ca8ba
 MSBuild version:   18.0.2+b0f34d51f

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.26100
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\10.0.100\

.NET workloads installed:
 [maui-windows]
   Installation Source: VS 17.14.36717.8
   Manifest Version:    10.0.0-rc.2.25504.7/10.0.100-rc.2
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\10.0.100-rc.2\microsoft.net.sdk.maui\10.0.0-rc.2.25504.7\WorkloadManifest.json
   Install Type:              Msi

 [maccatalyst]
   Installation Source: VS 17.14.36717.8
   Manifest Version:    26.0.10970-net10-rc.2/10.0.100-rc.2
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\10.0.100-rc.2\microsoft.net.sdk.maccatalyst\26.0.10970-net10-rc.2\WorkloadManifest.json
   Install Type:              Msi

 [android]
   Installation Source: VS 17.14.36717.8
   Manifest Version:    36.0.0-rc.2.332/10.0.100-rc.2
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\10.0.100-rc.2\microsoft.net.sdk.android\36.0.0-rc.2.332\WorkloadManifest.json
   Install Type:              Msi

 [ios]
   Installation Source: VS 17.14.36717.8
   Manifest Version:    26.0.10970-net10-rc.2/10.0.100-rc.2
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\10.0.100-rc.2\microsoft.net.sdk.ios\26.0.10970-net10-rc.2\WorkloadManifest.json
   Install Type:              Msi

Configured to use workload sets when installing new manifests.
No workload sets are installed. Run "dotnet workload restore" to install a workload set.

Host:
  Version:      10.0.0
  Architecture: x64
  Commit:       b0f34d51fc

.NET SDKs installed:
  8.0.416 [C:\Program Files\dotnet\sdk]
  9.0.308 [C:\Program Files\dotnet\sdk]
  10.0.100 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 10.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.18 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 10.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 10.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

• Add any other context about the problem here.

Looking at mage.exe documentation https://learn.microsoft.com/en-us/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool seems to indicate that the command line argument

-ti, -TimestampUri uri
Application manifests.Deployment manifests. 
The URL of a digital timestamping service. Timestamping the manifests prevents you from having to re-sign the manifests should your digital certificate expire before you deploy the next version of your application. For more information, see Windows root certificate program members.

when I look at the trace output from sign I do not see the timestampuri being passed from sign to mage.exe (I am not sure if it should or not, but I noticed that it was not present)?

info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest" -a sha256RSA -n "ExcelPlugin"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output ExcelPlugin.dll.manifest successfully updated

info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest succeeded.
info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.vsto" -a sha256RSA -n "ExcelPlugin" -pub "MyCompany" -appm "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output ExcelPlugin.vsto successfully updated

info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.vsto succeeded.
info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\41hkpiii.vsto" -a sha256RSA -n "ExcelPlugin" -pub "MyCompany" -appm "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output 41hkpiii.vsto successfully updated

Below is the full trace

& ./sign.exe code trusted-signing "D:\ExcelPlugin\ExcelPlugin.vsto" -tse https://weu.codesigning.azure.net -tsa ABCCodeSigning -tscp ABCCodeSigningCertificate -an ExcelPlugin -pn MyCompany -t "http://timestamp.acs.microsoft.com" -v trace
trce: Sign.SignatureProviders.TrustedSigning.TrustedSigningService[0]
      Fetching certificate from Trusted Signing certificate profile.
trce: Sign.SignatureProviders.TrustedSigning.TrustedSigningService[0]
      Fetched certificate. [1250.038 ms]
trce: Sign.SignatureProviders.TrustedSigning.TrustedSigningService[0]
      Certificate details:
      [Version]
        V3

      [Subject]
        CN=MyCompany A/S, O=MyCompany A/S, STREET=Some Street 12B, L=SomeCity, S=Somewhere, C=US, PostalCode=11111
        Simple Name: MyCompany A/S
        DNS Name: MyCompany A/S

      [Issuer]
        CN=Microsoft ID Verified CS EOC CA 01, O=Microsoft Corporation, C=US
        Simple Name: Microsoft ID Verified CS EOC CA 01
        DNS Name: Microsoft ID Verified CS EOC CA 01

      [Serial Number]
        XXX...

      [Not Before]
        04/12/2025 12.57.54

      [Not After]
        07/12/2025 12.57.54

      [Thumbprint]
        XXX...

      [Signature Algorithm]
        sha384RSA(1.2.840.113549.1.1.12)

      [Public Key]
        Algorithm: RSA
        Length: 3072
        Key Blob:         XXX...
        Parameters: 05 00

      [Extensions]
      * Basic Constraints(2.5.29.19):
        Subject Type=End Entity
      Path Length Constraint=None

      * Key Usage(2.5.29.15):
        Digital Signature (80)

      * Enhanced Key Usage(2.5.29.37):
        Unknown Key Usage (1.3.6.1.4.1.311.97.1.0)
      Code Signing (1.3.6.1.5.5.7.3.3)
      Unknown Key Usage (1.3.6.1.4.1.311.97.796683272.444286526.89465786.253054379)

      * Subject Key Identifier(2.5.29.14):
        XXX...

      * Authority Key Identifier(2.5.29.35):
        KeyID=XXX...

      * CRL Distribution Points(2.5.29.31):
        [1]CRL Distribution Point
           Distribution Point Name:
                Full Name:
                     URL=http://www.microsoft.com/pkiops/crl/Microsoft ID Verified CS EOC CA 01.crl (http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20CS%20EOC%20CA%2001.crl)

      * Authority Information Access(1.3.6.1.5.5.7.1.1):
        [1]Authority Information Access
           Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
           Alternative Name:
                URL=http://www.microsoft.com/pkiops/certs/Microsoft ID Verified CS EOC CA 01.crt (http://www.microsoft.com/pkiops/certs/Microsoft%20ID%20Verified%20CS%20EOC%20CA%2001.crt)
      [2]Authority Information Access
           Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
           Alternative Name:
                URL=http://oneocsp.microsoft.com/ocsp

      * Certificate Policies(2.5.29.32):
        [1]Certificate Policy:
           Policy Identifier=1.3.6.1.4.1.311.76.509.1.1
           [1,1]Policy Qualifier Info:
                Policy Qualifier Id=CPS
                Qualifier:
                     http://www.microsoft.com/pkiops/Docs/Repository.htm
      [2]Certificate Policy:
           Policy Identifier=2.23.140.1.4.1


info: Sign.Core.ISigner[0]
      Submitting D:\ExcelPlugin\ExcelPlugin.vsto for signing.
trce: Sign.Core.IDirectoryService[0]
      Creating directory C:\Users\UserA\AppData\Local\Temp\2y5251su.zom.
info: Sign.Core.ISigner[0]
      SignAsync called for D:\ExcelPlugin\ExcelPlugin.vsto. Using C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\41hkpiii.vsto locally.
info: Sign.Core.IDataFormatSigner[0]
      Signing Mage job with 1 files.
info: Sign.Core.IDataFormatSigner[0]
      Signing SignTool job with 8 files.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.v4.0.Framework.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Excel.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Common.dll.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\setup.exe.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.dll.
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Excel.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.VisualStudio.Tools.Applications.Runtime.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Common.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.Common.v4.0.Utilities.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.v4.0.Framework.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\setup.exe succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\Microsoft.Office.Tools.dll succeeded.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll succeeded.
info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest" -a sha256RSA -n "ExcelPlugin"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output ExcelPlugin.dll.manifest successfully updated

info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest succeeded.
info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.vsto" -a sha256RSA -n "ExcelPlugin" -pub "MyCompany" -appm "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output ExcelPlugin.vsto successfully updated

info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.vsto succeeded.
info: Sign.Core.IMageCli[0]
      Running mage.exe with parameters: '-update "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\41hkpiii.vsto" -a sha256RSA -n "ExcelPlugin" -pub "MyCompany" -appm "C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\Application Files\ExcelPlugin_2_2_0_31\ExcelPlugin.dll.manifest"'.
info: Sign.Core.IMageCli[0]
      mage.exe returned the output 41hkpiii.vsto successfully updated

info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\UserA\AppData\Local\Temp\2y5251su.zom\41hkpiii.vsto succeeded.
trce: Sign.Core.IDirectoryService[0]
      Deleting directory C:\Users\UserA\AppData\Local\Temp\2y5251su.zom.
trce: Sign.Core.IDirectoryService[0]
      Directory C:\Users\UserA\AppData\Local\Temp\2y5251su.zom deleted.
info: Sign.Core.ISigner[0]
      Completed in 11444 ms.

[kenneththorman]

It seems somewhat related to #814 but that issue was autoclosed.

[kenneththorman]

Update: After posting this issue I tried to publish the application making sure that the VS.NET IDE properties page for signing had values as indicated below

After publishing I ran

& ./sign.exe code trusted-signing "D:\ExcelPlugin\ExcelPlugin.vsto" -tse https://weu.codesigning.azure.net -tsa ABCCodeSigning -tscp ABCCodeSigningCertificate -an ExcelPlugin -pn MyCompany -t "http://timestamp.acs.microsoft.com" -v trace

again to make sure that timestamping was indicated as publish time if indeed mage.exe -update did not run with the correct parameters to update/change the timestamping.

I just tested the install package now after the cert expired, and it throws the same error during installation. So this change did not make any difference.

I have inspected the setup file and the certificate is countersigned by Microsoft, so the setup.exe program is fine. Either the problem stems from

1. the computer not accepting this countersignature for some reason
2. or it is not the setup.exe that is the problem but as the stack trace indicates the manifest file

System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for ExcelPlugin or its location is not trusted. Contact your administrator for further assistance.
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA2Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState, TrustStatus sha256TrustStatus, X509Certificate2 sha256PublisherCert)
   at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)

I find it unlikely that the Microsoft timestamping server certificate is not trusted (which is one way to read the above error - I guess).

I am now trying to change to the Digicert timestamping server as per this comment #814 (comment) to see if this makes a difference.

[dlemstra]

I noticed that you have "Sign the ClickOnce Manifests" enabled. I am also using Trusted Signing to sign a ClickOnce application and I have disable that setting. And I am using the default timestamp provider.