Improvements for enterprises signing MSIX packages (Insider Preview)
Published Jul 30 2019 10:41 AM 5,224 Views
Microsoft

MSIX requires packages to be signed in order to be deployed.  This helps us to offer integrity on the package being deployed and to ensure the contents being deployed are what was packaged from the developer or IT Pro.  While this is great, some customers found it problematic acquiring certificates within their enterprise.  We heard that from our customers loud and clear!  In an upcoming Windows release will improve the tooling to enable signing of MSIX packages from your Azure Active Directory tenant.  

 

How does it work?

 

Starting with the Windows Insider SDK 18945 we will have changes and additions to signtool.exe.  These changes will allow signtool to interact with Device Guard Signing to remotely sign packages specific to your Azure AD tenant.  A user can be enabled with signing permissions and can then auth with their Azure AD identity and sign their packages.

 

How do I enable this?

 

To sign packages there are a few steps required to setup your Azure AD users and environment, its a onetime setup.  You will also need an updated SDK (version 18945 or later) for signtool and some additional files to interact with the signing service.

 

To deploy packages you will need to deploy an intermediate certificate to your devices so the will trust the apps being signed.  You download this certificate from the Microsoft Store for Business portal.  You can easily deploy this certificate with System Center Configuration Manager, Microsoft Intune, via scripting or most management products to your devices root store.  The certificate is specific to your Azure AD tenant so it won't enable other enterprises apps to be deployed.  If your users are working across multiple Azure AD environments then just add the certificate for each tenant to enable the apps to install.

 

Full setup instructions here:  https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing

 

Windows Insider SDK (need to register as an insider if you are not already): https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK

 

Just curious about it?  Check out a demo here:  https://twitter.com/jvintzel/status/1151636054232850432

 

Let us know your feedback.

 

John Vintzel (@jvintzel)

PM Lead, MSIX

 

 

 

 

 

4 Comments
Copper Contributor

Looks like a great option. I've been testing this but no luck so far, installed the latest version of the SDK (10.0.18985.0). Signtool keep trowing this error:
SignTool Error: This file format cannot be signed because it is not recognized.

Any idea why?

Microsoft

Are you able to share the file and message me a link to look into it?

Copper Contributor

Hi John, I've sent you a PM with a link to OneDrive.

Copper Contributor

There was something missing from my SDK installation (appxsip.dll), I reinstalled the SDK with most components enabled and now I'm able to sign the MSIX package. Also learned 2 other things during my journey getting DGS running:

- Getting the Azure AD Access Token with the Powershell script doesn't work when your account has Azure MFA enabled. In the latest version (October 2019) of the MSIX Packaging Tool this does work, so that's nice!

- Filled in the wrong CN in the Certificate, the CN is the same as the Tenant Name. This was not very clear to me in the article. In the latest version of the MISX Signing Tool it automatically fills in the CN, so that's also a very nice feature of the latest version!

Version history
Last update:
‎Mar 02 2022 05:08 PM
Updated by: