Blog Post

Core Infrastructure and Security Blog
2 MIN READ

MSIX - The MSIX Packaging Tool - signing the MSIX package

SGERN's avatar
SGERN
Icon for Microsoft rankMicrosoft
Mar 08, 2019
First published on MSDN on Sep 06, 2018 So, as we noticed a certificate is needed to sign the MSIX package. Especially for those with a history in packaging, signing an AppX/MSIX-package coul...
Updated Feb 20, 2020
Version 3.0
IngmarOosterhoff
JohannesFreundorfer
MAD
MatthiasHerfurth
jgudmundson_RETSD's avatar
jgudmundson_RETSD
Copper Contributor
Aug 22, 2019

Correction, I got it working.  Had a "moment of clarity" shortly after posting my last message.  

Ran through these rough steps

  1. Install SafeNet Client - https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFLx
  2. Install Windows 10 SDK - https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
    1. Select all options
  3. SafeNet will launch to system tray, plug in usb key and enter password
  4. Package application using criteria here
    1. Generate initial package without signing.
    2. MSIX app manifest publisher name must exactly match the entire subject section of the certificate.
    3. MSIX app manifest Publisher display must match the subject display name.
  5. Open cmd prompt to “C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\”
    1. Build number must change based of packaging pc.
  6. Enter signtool sign /tr %vendorspecifictime% /td sha256 /fd sha256 /a %changetolocationoffiletobesigned%
    1. Errors can be diagnosed via Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational
    2. SafeNet will popup, enter password for key.  DO NOT BULK ATTEMPT THE PASSWORD!!!!!!!!!!!!
  7. To verify code sign, right click on file, properties and change to digital signatures.  Look for file to be signed by your business.
  8. To manually install computer must be set to sideload, until published to microsoft store.