Daniel Margetic has posted a workaround for updating a ClickOnce application that has been deployed with an expired Authenticode certificate. I wrote about this problem back in January and came up with a kludge that involved automatically uninstalling the app and reinstalling from a new location.
Daniel’s solution uses a newer version of the code signing tool, included in the Windows Server R2 SDK, that allows you to sign with two different keys – one for Authenticode and one for the manifest’s “strong name”. Basically, you continue to sign the manifest using the key from the expired cert and generate the Authenticode signature using the renewed certificate.
Details at Daniel’s blog: