Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
MSIX - The MSIX Packaging Tool - signing the MSIX package
Published Mar 08 2019 02:06 PM 11.2K Views
Microsoft

First published on MSDN on Sep 06, 2018
So, as we noticed a certificate is needed to sign the MSIX package.

Especially for those with a history in packaging, signing an AppX/MSIX-package could potentially be the first time you're ever faced with the requirement. So….

Why should we sign packages?

Signing code or binaries nowadays is common practice. Starting with executables, drivers and scripts code signing ensures source, integrity and alignment with release processes of the given code. Starting with Microsoft Store this was introduced into Windows as a requirement to deploy AppX successfully.

Beside the use in production environments, during package creation and testing there are possibilities to bypass this requirement.

We have 2.5   options:

    • Set up a CA in our test environment, and request a code signing certificate. All MSIX packages signed with this certificate can be installed on all computers in our environment (since they trust that CA)



How to configure the PKI for code signing certificates:

 

https://blogs.technet.microsoft.com/deploymentguys/2013/06/14/signing-windows-8-applications-using-...
Since we got no test environment set up whatsoever, that would be the 0.5 option




    • Request a Code Signing certificate from a 3rd party, like for example over at Digicert

 

    • Create a Self signed certificate.

 

 

    • Export the certificate from the certificate store and sign your packages with the certificate, and place the certificate in the trusted root of the machine on which you’re going to install the MSIX package.



What to do when

Focusing on AppX/MSIX there are four major scenarios present with different possibilities:

    • Packaging



During packaging Codesigning can be bypassed via the Developer-Mode in Windows 10.

https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development

    • Testing



Developer-Mode will not help during package testing. Best would be to Test-Sign the package internally with your own PKI infrastructure or a Self-Signed Certificate:

    • Private Deployment



Private Deployment means deployment only on company owned and managed devices. In this case code signing using your PKI infrastructure is perfectly fine and the most stable implementation.

    • Public Deployment



Having a public deployment on an AppX/MSIX package most likely means uploading it to Microsoft Store. Only once you need to create a developer account for your company, which will give you access to the required upload area. During the process of final package checks the package will automatically get signed and all Windows 10 Clients will trust the resulting package.



Ingmar Oosterhoff, Johannes Freundorfer and Matthias Herfurth

5 Comments
Copper Contributor

Hi... thank you for this post :)
What I'm missing is an option how to sign a MSIX package via an USB token (e.g. GlobalSign). Normally I use the Signtool and the Common Name of my Extended Validation Certificate and everything works automagically. But how can I do this with the MSIX Packaging Tool?
Thanks...
  Achim

Copper Contributor

I'm having the same issue as @ahzf2305 .  I cant find any docs on how to EV code sign an MSIX package.

Copper Contributor

Correction, I got it working.  Had a "moment of clarity" shortly after posting my last message.  

Ran through these rough steps

  1. Install SafeNet Client - https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFLx
  2. Install Windows 10 SDK - https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
    1. Select all options
  3. SafeNet will launch to system tray, plug in usb key and enter password
  4. Package application using criteria here
    1. Generate initial package without signing.
    2. MSIX app manifest publisher name must exactly match the entire subject section of the certificate.
    3. MSIX app manifest Publisher display must match the subject display name.
  5. Open cmd prompt to “C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\”
    1. Build number must change based of packaging pc.
  6. Enter signtool sign /tr %vendorspecifictime% /td sha256 /fd sha256 /a %changetolocationoffiletobesigned%
    1. Errors can be diagnosed via Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational
    2. SafeNet will popup, enter password for key.  DO NOT BULK ATTEMPT THE PASSWORD!!!!!!!!!!!!
  7. To verify code sign, right click on file, properties and change to digital signatures.  Look for file to be signed by your business.
  8. To manually install computer must be set to sideload, until published to microsoft store.
Copper Contributor

I'm really lost here. I've been using the MSIX tool for 2 days repeated uploading to the store only to see my app installs fine then crashes at the start. There is a little tick box in MSIX that says 'specify your own certificate to sign with' I thought the MSIX tool did all that for me (that's why I was typing in my publisher id/details etc)  or am I wrong. Am I REQUIRED to have a certificate in order to put it on the store? So why the 'option'?

 

If this is the case why isnt that made clear and why doesn't it fail to install/validate. Why do I have to waste an hour of my time with each upload etc before getting the bad news as a crash only once I've gone through all the trouble?

 

And, if this isn't the case then why does my app crash on the app store at start when it runs perfectly well in any other desktop environment? (Desktop/Steam/Testing)

Copper Contributor

@GrimmyThe msix package gets signed automatically in certification when you upload it to the Microsoft Store. You only need to sign the package if you want to test it before you publish it. I'm also having the same issue as you, my app installs just fine from the store, but crashes when opened. It was not doing this on previous packages and the only thing I did different was remove the uninstall.exe that it was picking up in MSIX tool. I will let you know if I solve my problem and maybe it will help you solve yours.

Version history
Last update:
‎Feb 20 2020 10:27 AM
Updated by: