We are using Nant to prepare setup of our software using Clickonce.

Using signtool to sign dll(s) and exe(s).

signtool command : signtool sign /f ${certFile} /p ${certFilePwd} {path of setup.exe}

Using Mt.exe to embed manifests in exe files.

Mt command : mt -manifest {manifest file} -outputresource:{filepath};#1

We have two exe files. One is our app.exe and second is setup.exe(bootstrapper created by clickonce)

There is no issue with app.exe in signing after embedding manifests.

But signing of setup.exe after embedding manifest is giving below error:

SignTool Error: SignedCode::Sign returned error: 0x80070057. The parameter is incorrect.

manifest file contains:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
    <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
        <ms_asmv2:security>
            <ms_asmv2:requestedPrivileges>
                <ms_asmv2:requestedExecutionLevel level="asInvoker" 
                           uiAccess="false"></ms_asmv2:requestedExecutionLevel>
            </ms_asmv2:requestedPrivileges>
        </ms_asmv2:security>
    </ms_asmv2:trustInfo>
</assembly>

No error if I do sign before embedding manifest but it cant work as any file needs resigning after changes.

I also tried following steps:

1. sign setup.exe
2. embed manifests
3. resign setup.exe (same error during this step as above)

Does any have solution/workaround of this problem?

I can't find a source to cite, but I ran into a similar problem a while ago and you can't sign a setup.exe that has been previously signed. You can generate your bootstrapper from scratch (see MSDN), apply your manifest and then sign it (for the first time!) and it should work.