I just want to add that I spent a day and a half trying to get this to work, and whilst much of the above helped, as Joe P mentions, this won't work with ClickOnce .application files anyway.

But I did resolve my issue, and that was to switch mage.exe for dotnet-mage.exe! Mage.exe was always using SHA1 in the signing of the .application files, even if you specified SHA2. There were many reports of the .NET 4.6 bug that caused this being fixed in 4.7 (or VS 2022 17.3) but still, no matter what I tried, Mage (and MageUI) exported SHA1 (and this could be verified by opening the .application file in Notepad and checking the DigestMethod).

After trying more or less everything, I found dotnet-mage.exe and switched to that, and hey-presto, everything now works, and I can sign my .application files with a SHA384 certificate and timeserver, and the Windows ClickOnce installer recognises the certificate and shows a valid publisher, even after the certificate expiry date. In case it helps, the command I used was:

dotnet-mage -Update MyApp.application -CertFile MyCert.pfx -Password PASSWORD -TimestampUri http://timestamp.comodoca.com -ProviderUrl https://MyURL.com/MyApp.application -appmanifest MyApp.exe.manifest -MinVersion 2.0 -Name MyApp -Algorithm sha256RSA