What is signing ClickOnce manifests for?

Question

According to Microsoft, you must sign your ClickOnce application. But it seems to me that it works just fine when I publish it without signing it (by turning off th

Answer 1

It's a security feature that allows your users to verify that any updates really originated from the publisher of the version you installed before. This is a basic property of Public Key encryption. On top of that you can have your certificate authorized by a trusted peer so that the details of the publisher supplied are also verified. (Having the same publisher as before doesn't have to mean the original information about the publisher is correct. That's the advantage of a bought one.)

So summary:

1. No certificate puts your users at a gamble where the software came from.
2. Self-signed certificates give the user certainty that updates at least came from the same publisher as their original install. But still don't know where this original came from.
3. Purchased certificates give users a degree of certainty that the information about the publisher is verified by a 3rd (and trusted) party. As well as any following updates.