cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MSIX - The MSIX Packaging Tool - signing the MSIX package
By
SGERN
Published Mar 08 2019 02:06 PM 11.3K Views
SGERN
Microsoft
‎Mar 08 2019 02:06 PM

MSIX - The MSIX Packaging Tool - signing the MSIX package

‎Mar 08 2019 02:06 PM

First published on MSDN on Sep 06, 2018
So, as we noticed a certificate is needed to sign the MSIX package.

Especially for those with a history in packaging, signing an AppX/MSIX-package could potentially be the first time you're ever faced with the requirement. So….

Why should we sign packages?

Signing code or binaries nowadays is common practice. Starting with executables, drivers and scripts code signing ensures source, integrity and alignment with release processes of the given code. Starting with Microsoft Store this was introduced into Windows as a requirement to deploy AppX successfully.

Beside the use in production environments, during package creation and testing there are possibilities to bypass this requirement.

We have 2.5   options:

    • Set up a CA in our test environment, and request a code signing certificate. All MSIX packages signed with this certificate can be installed on all computers in our environment (since they trust that CA)



How to configure the PKI for code signing certificates:

 

https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-...
Since we got no test environment set up whatsoever, that would be the 0.5 option




    • Request a Code Signing certificate from a 3rd party, like for example over at Digicert

 

    • Create a Self signed certificate.

 

 

    • Export the certificate from the certificate store and sign your packages with the certificate, and place the certificate in the trusted root of the machine on which you’re going to install the MSIX package.



What to do when

Focusing on AppX/MSIX there are four major scenarios present with different possibilities:

    • Packaging



During packaging Codesigning can be bypassed via the Developer-Mode in Windows 10.

https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development

    • Testing



Developer-Mode will not help during package testing. Best would be to Test-Sign the package internally with your own PKI infrastructure or a Self-Signed Certificate:

    • Private Deployment



Private Deployment means deployment only on company owned and managed devices. In this case code signing using your PKI infrastructure is perfectly fine and the most stable implementation.

    • Public Deployment



Having a public deployment on an AppX/MSIX package most likely means uploading it to Microsoft Store. Only once you need to create a developer account for your company, which will give you access to the required upload area. During the process of final package checks the package will automatically get signed and all Windows 10 Clients will trust the resulting package.



Ingmar Oosterhoff, Johannes Freundorfer and Matthias Herfurth

0 Likes
Like
5 Comments
Version history
Last update:
‎Feb 20 2020 10:27 AM
Updated by:
Labels