I'm very puzzled about the code signing system in place in Visual Studio. I
can sign ClickOnce deployments with a certificate from the certifcate store.
Why can I not do the same thing when signing an assembly? For that, I need
to have a .pfx or .snk file. My company does not want to give the Verisign
certificate password to the development team, and rightly so since they could
then take that .pfx home an start singing any sort of trash they wanted with
the company certificate. So instead, they have installed the certificate
with the private key in the certificate store and disabled the ability to
export the private key. The only way to sign code is then to use
signtool.exe. Code signing in Visual Studio is not possible. Why aren't the
code signing mechanisms for ClickOnce and assemblies the same? It seems like
I must be missing something here, but I can't imagine what it could be.

"Joe Monnin" <JoeMonnin (AT) discussions (DOT) microsoft.com> wrote

I have the same questions. It doesn't make sense to me. Further, I don't
think you can digitally sign an assembly in Visual Studio, not even in 2010.
The assembly signing is for a strong name, not a public code signing
certificate. Still, you don't want to be handing out your strong name key
either.

I have found that you can strong name sign with a key from the certificate
store by editing your *.csproj file and adding:

<KeyContainerName>YourKeyName</KeyContainerName>

Add this right after the <AssemblyName>. <SignAssembly> should be left as
false.

You still have to use signtool.exe (or Set-AuthenticodeSignature) to sign
the assembly with your Verisign certificate.