I have a clickonce application installed.
It was using sha1 signature algorithm. Certificate got expired and I decided to change it to a EV Sha384 certificate.
I re-signed my libraries and manifests using Sha256 signature algorithm.
My application do not use auto-update from clickonce. I do it promgramatically when user click on appref-ms file on desktop.
Update happened successfully and I can see publickey in appref-ms file points to new sha256 key.
But when I click appref-ms OR deployment manifest file FIRST TIME after update, It showes me clickonce install pop up. Click on "Install" button do not install anything but just simply open my already updated app.
I wonder why do it does that? How click on appref-ms OR deployment manifest file checks to show the install pop up? Is there something in registry it checks?
Clickonce uses registries to store and check if it is a fresh install or a update.
Clickonce treat it as a fresh install when certificate is changed. Per microsoft it should be fixed in newer .NET releases but seems like entire infrastructure around clickonce was not really focussed.
There are ways to mitigate it but they are not very clean. So recommendation is to have a signing certificate that have possibility to extend.