I just want to add that I spent a day and a half trying to get this to work, and in case this helps anyone else...

I found I had to switch from mage.exe to dotnet-mage.exe! Mage.exe was always using SHA1 in the signing of the .application files, even if you specified SHA2. There were many reports of the .NET 4.6 bug that caused this being fixed in 4.7 (or VS 2022 17.3) but still, no matter what I tried, like the above author, Mage (and MageUI) exported SHA1 (and this could be verified by opening the .application file in Notepad and checking the DigestMethod).

After trying more or less everything, I found dotnet-mage.exe and switched to that, and hey-presto, everything now works, and I can sign my .application files with a SHA384 certificate and timeserver, and the Windows ClickOnce installer recognises the certificate and shows a valid publisher, even after the certificate expiry date. In case it helps, the command I used was:

dotnet-mage -Update MyApp.application -CertFile MyCert.pfx -Password PASSWORD -TimestampUri http://timestamp.comodoca.com -ProviderUrl https://MyURL.com/MyApp.application -appmanifest MyApp.exe.manifest -MinVersion 2.0 -Name MyApp -Algorithm sha256RSA