Feedback regarding Certificate store and MSIX package installation.

%3CLINGO-SUB%20id%3D%22lingo-sub-1827991%22%20slang%3D%22en-US%22%3EFeedback%20regarding%20Certificate%20store%20and%20MSIX%20package%20installation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827991%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20all%20MSIX%20packages%20are%20installed%20on%20a%20per-user%20basis%2C%20why%20can't%20the%20certificate%20be%20installed%20into%20the%20user%20store%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESure%2C%20we%20can%20learn%20to%20install%20them%20into%20the%20system%20store%2C%20but%20it%20seems%20wrong.%26nbsp%3B%20AppInstaller%20should%20support%20both%20locations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1834286%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%20regarding%20Certificate%20store%20and%20MSIX%20package%20installation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1834286%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146612%22%20target%3D%22_blank%22%3E%40TIMOTHY%20MANGAN%3C%2FA%3E%26nbsp%3BThe%20goal%20is%20not%20not%20allow%20random%20trust%20to%20be%20added%20and%20mitigate%20untrusted%20apps%20being%20installed%20on%20the%20device.%26nbsp%3B%20To%20add%20new%20roots%20of%20trust%20the%20user%20needs%20be%20administrator.%26nbsp%3B%20There%20is%20a%20significant%20amount%20of%20trusted%20Certificate%20Authorities%20already%20present%20in%20Windows%2C%20most%20untrusted%20certs%20are%20either%20self%20signed%20(which%20is%20almost%20like%20unsigned%20since%20there%20is%20no%20root%20verification)%20or%20enterprise%20roots.%26nbsp%3B%20Most%20enterprises%20tend%20to%20manage%20the%20cert%20deployment%20via%20tools%20or%20image%20management.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJohn%20Vintzel%20(%40jvintzel)%3C%2FP%3E%0A%3CP%3EPM%20Lead%2C%20MSIX%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Since all MSIX packages are installed on a per-user basis, why can't the certificate be installed into the user store?  

 

Sure, we can learn to install them into the system store, but it seems wrong.  AppInstaller should support both locations.

1 Reply

@TIMOTHY MANGAN The goal is not not allow random trust to be added and mitigate untrusted apps being installed on the device.  To add new roots of trust the user needs be administrator.  There is a significant amount of trusted Certificate Authorities already present in Windows, most untrusted certs are either self signed (which is almost like unsigned since there is no root verification) or enterprise roots.  Most enterprises tend to manage the cert deployment via tools or image management.

 

John Vintzel (@jvintzel)

PM Lead, MSIX