What kind of validation is done on signed files by the ClickOnce/VS Boostrapper? The prerequisite manifests have a PublicKeyattribute on the PackageFile that corresponds to the public key for the digital signature. In what way is this public key used to verify the signature of the signed file?What methods are used for the validation (educated guesses are welcome)?

Thanks,

Shane

The public key is used as a first level of defense by the bootstrapper: if the public key of the downloaded package does not match what the bootstrapper was built with, the installation will fail out of the box.

More checks are then done by the bootstrapper; I'm not going to go into many details, but it is similar to what is done in the Windows Installer Guide around bootstrapping. See in particular "Internet Download Bootstrapping" on MSDN (http://msdn2.microsoft.com/en-us/library/aa369557.aspx)

The public key is used as a first level of defense by the bootstrapper: if the public key of the downloaded package does not match what the bootstrapper was built with, the installation will fail out of the box.

More checks are then done by the bootstrapper; I'm not going to go into many details, but it is similar to what is done in the Windows Installer Guide around bootstrapping. See in particular "Internet Download Bootstrapping" on MSDN (http://msdn2.microsoft.com/en-us/library/aa369557.aspx)