How to Sign ClickOnce with Sha256 Cert for .NET 4.0 like Visual Studio Update 3

I have figured out how to do it with just msbuild

I have Visual Studio 2013 with Update 3 installed. Loaded the certificates needed into the store using the project Properties > Signing tab, taking note of the <ManifestCertificateThumbprint> in the .csproj file for each certificate. Then you can use them on command line like this:

msbuild /target:publish /property:ManifestKeyFile="certificate.pfx" /property:ManifestCertificateThumbprint="CERTIFICATE THUMBPRINT"

As user2404450 correctly wrote, the problem cannot be solved with Mage included in any VS 2013 Update. Microsoft has updated the API, but not the mage.exe tool. If you add the "-algorithm sha1RSA" parameter while calling mage.exe, you only specify what digest algorithm to use when generating hashes for your application resources.

To solve this, we have written a small tool that calls the correct API, see an example:

Microsoft.Build.Tasks.Deployment.ManifestUtilities.SecurityUtilities.SignFile(certThumbprint, timestampUrl, path, "v4.0");

You have to install VS 2013 Update 3 to get the 4th parameter working.