Forum Discussion
Why is it impossible to sign a .exe that is included in an msix?
It sounds like what you’re running into is a common scenario with MSIX packaging. MSIX is designed to guarantee integrity at the package level, not necessarily at the individual file level inside the package. When you sign the MSIX bundle, it effectively ensures that none of the contents (including your .exe) are tampered with after distribution.
Because of this, Visual Studio and the MSIX tooling generally don’t provide a built-in way to sign individual files inside the package—the signature on the MSIX bundle itself covers all the included files. Trying to sign the internal .exe separately often gets ignored or overwritten during packaging.
So it’s not really pointless; the package signature is meant to protect the contents after installation. If you need additional file-level signatures, you’d likely have to sign the .exe after installation, which is unusual and not typically necessary for standard MSIX deployment.
In short: MSIX prioritizes package integrity over individual file signing, which is why Visual Studio behaves this way.
Now I get why. I have since learned that after deployment the msix installed contents are read only. Since they cannot be altered or infected, there is no need to sign any contents. So just signing the package distribution is all that is necessary.