I've just started developing for WM 6.5 on an HTC Touch2, and every time I
deploy for debugging, I get a warning about an unknown publisher.

My program is signed with a Comodo Code Signing certificate issued to my
company.

Is there a way to add to the trusted root authorities on a device, so the
device can recognize my signed code?  Pointers to documentation on this
greatly appreciated, as I haven't had any luck on google.

See http://support.microsoft.com/default.aspx/kb/915840 or
http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html for
details on how to install custom certificates.

If you want your application/cab files to install without prompts on
customer devices to my knowledge the only practical way is to purchase a
Mobile2Market code signature
(http://www.verisign.com/code-signing/content-signing-accounts/microso...).
Or release your software via the new Windows Mobile marketplace...

If this is just your development device, you may like to use the Device
Security Manager utility (found in VS2008's Tools menu) to alter your
device's security policy to one which does not prompt for unsigned code.
Documentation is at http://msdn.microsoft.com/en-us/library/bb384149.aspx

1.  Export the root certificate from certificate manager on your PC that
corresponds to your authenticode signature
2.  Copy the certificate to your device, which should be installed
automatically.

The problem was that I was seeing a message that "this program depends on a
component from an unknown publisher".  Eventually I figured out that that
means that the debug MFC DLLs aren't signed.  A release build just works.
It also implies that I need to sign my DLL's as well as exes.

When I do sign my code, I timestamp it and countersign.

Does anyone know how loader works when the original certificate expires?
On a PC there still is no warning, but on this device, I'm not so sure.

Also, it seems that the device somehow remembers that I allowed the code
once, and then doesn't complain again. Any idea how that's achieved?